Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exe

Overview

General Information

Sample name:SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exe
Analysis ID:1430097
MD5:a2af719ea5acf34dbba496a4a2d14b87
SHA1:c034b644776331c512e7b5953993ba9b86ce1728
SHA256:574f282bee0927e2582139d6c6ef565c10e49d5187dc87625aecfeb66d61105f
Tags:exe
Infos:

Detection

PrivateLoader, PureLog Stealer
Score:54
Range:0 - 100
Whitelisted:false
Confidence:100%

Compliance

Score:52
Range:0 - 100

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected PrivateLoader
Yara detected PureLog Stealer
Drops large PE files
Found suspicious ZIP file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs Task Scheduler Managed Wrapper
Potentially malicious time measurement code found
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Adds / modifies Windows certificates
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Connects to several IPs in different countries
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to communicate with device drivers
Contains functionality to create guard pages, often used to hinder reverse usering and debugging
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Creates files inside the driver directory
Creates files inside the system directory
Creates or modifies windows services
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries information about the installed CPU (vendor, model number etc)
Queries keyboard layouts
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sleep loop found (likely to delay execution)
Stores files to the Windows start menu directory
Stores large binary data to the registry
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
query blbeacon for getting browser version

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exe (PID: 1404 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exe" MD5: A2AF719EA5ACF34DBBA496A4A2D14B87)
    • SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp (PID: 4824 cmdline: "C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp" /SL5="$2041C,1631103,874496,C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exe" MD5: 3B531BFA13D2F16B94E463747A9B0022)
      • BitComet_2.07_setup.exe (PID: 6832 cmdline: "C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe" /S MD5: 6257440E341224790F7E2D8286B149CE)
        • BitCometService.exe (PID: 2716 cmdline: "C:\Program Files\BitComet\tools\BitCometService.exe" /reg MD5: AE7FBFF183FF30913EBEB38913E8CFAD)
        • BitComet_stats.exe (PID: 3540 cmdline: "C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exe" https://www.bitcomet.com/client/install-stats/?l=en_us&file=BitComet_2.07_setup.exe&p=x64 MD5: EDB96675541D0275C42096B64D794D3B)
      • prod0.exe (PID: 7024 cmdline: "C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exe" -ip:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240423073935&is_silent=true&oc=ZB_RAV_Cross_Tri_NCB&p=1abd&a=100&b=&se=true" -vp:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240423073935&oc=ZB_RAV_Cross_Tri_NCB&p=1abd&a=100&oip=26&ptl=7&dta=true" -dp:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240423073935&oc=ZB_RAV_Cross_Tri_NCB&p=1abd&a=100" -i -v -d -se=true MD5: 732EBDF213C6DB82F652B52D7C36CCD6)
        • mrybn0ui.exe (PID: 5036 cmdline: "C:\Users\user\AppData\Local\Temp\mrybn0ui.exe" /silent MD5: 7533BE3F2041A3C1676863FDB7822C66)
          • RAVEndPointProtection-installer.exe (PID: 5724 cmdline: "C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe" "C:\Users\user\AppData\Local\Temp\mrybn0ui.exe" /silent MD5: 41A3C2A1777527A41DDD747072EE3EFD)
            • rsSyncSvc.exe (PID: 5244 cmdline: "C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -i -bn:ReasonLabs -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -dt:10 MD5: DED746A9D2D7B7AFCB3ABE1A24DD3163)
              • conhost.exe (PID: 2784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • Conhost.exe (PID: 8524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • saBSI.exe (PID: 6836 cmdline: "C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exe" /affid 91088 PaidDistribution=true CountryCode=US MD5: 143255618462A577DE27286A272584E1)
      • BitComet.exe (PID: 2184 cmdline: "C:\Program Files\BitComet\BitComet.exe" --no_elevated MD5: 1E74EE00A40D42C984DA333B5E3CEACE)
      • WerFault.exe (PID: 884 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 964 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • svchost.exe (PID: 6336 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • BitComet.exe (PID: 3708 cmdline: "C:\Program Files\BitComet\BitComet.exe" MD5: 1E74EE00A40D42C984DA333B5E3CEACE)
    • UPNP.exe (PID: 7148 cmdline: "C:\Program Files\BitComet\tools\UPNP.exe" -addfw -app BitComet -tcpport 7319 -udpport 7319 -q MD5: FEBBAF0C03103A63E0141A96535B7745)
    • msedgewebview2.exe (PID: 7220 cmdline: "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=BitComet.exe --webview-exe-version=2.07 --user-data-dir="C:\Users\user\AppData\Local\BitComet\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=1 --enable-features=MojoIpcz --mojo-named-platform-channel-pipe=3708.7216.9049188055043856713 MD5: 9909D978B39FB7369F511D8506C17CA0)
      • msedgewebview2.exe (PID: 7248 cmdline: "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\user\AppData\Local\BitComet\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\user\AppData\Local\BitComet\EBWebView\Crashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=117.0.5938.132 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=117.0.2045.47 --initial-client-data=0x16c,0x170,0x174,0x168,0x140,0x7ffd8ab18e88,0x7ffd8ab18e98,0x7ffd8ab18ea8 MD5: 9909D978B39FB7369F511D8506C17CA0)
      • msedgewebview2.exe (PID: 7460 cmdline: "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --type=gpu-process --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\BitComet\EBWebView" --webview-exe-name=BitComet.exe --webview-exe-version=2.07 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1792 --field-trial-handle=1796,i,2359236077227598348,11370881663069320587,262144 --enable-features=MojoIpcz /prefetch:2 MD5: 9909D978B39FB7369F511D8506C17CA0)
      • msedgewebview2.exe (PID: 7472 cmdline: "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\BitComet\EBWebView" --webview-exe-name=BitComet.exe --webview-exe-version=2.07 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=2248 --field-trial-handle=1796,i,2359236077227598348,11370881663069320587,262144 --enable-features=MojoIpcz /prefetch:3 MD5: 9909D978B39FB7369F511D8506C17CA0)
      • msedgewebview2.exe (PID: 7524 cmdline: "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-GB --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\BitComet\EBWebView" --webview-exe-name=BitComet.exe --webview-exe-version=2.07 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=2980 --field-trial-handle=1796,i,2359236077227598348,11370881663069320587,262144 --enable-features=MojoIpcz /prefetch:8 MD5: 9909D978B39FB7369F511D8506C17CA0)
      • msedgewebview2.exe (PID: 7560 cmdline: "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\BitComet\EBWebView" --webview-exe-name=BitComet.exe --webview-exe-version=2.07 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --disable-nacl --first-renderer-process --lang=en-GB --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=en_CH" --time-ticks-at-unix-epoch=-1713846190060310 --launch-time-ticks=4632151505 --mojo-platform-channel-handle=3392 --field-trial-handle=1796,i,2359236077227598348,11370881663069320587,262144 --enable-features=MojoIpcz /prefetch:1 MD5: 9909D978B39FB7369F511D8506C17CA0)
      • msedgewebview2.exe (PID: 7596 cmdline: "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\BitComet\EBWebView" --webview-exe-name=BitComet.exe --webview-exe-version=2.07 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --disable-nacl --lang=en-GB --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=en_CH" --time-ticks-at-unix-epoch=-1713846190060310 --launch-time-ticks=4632449862 --mojo-platform-channel-handle=3708 --field-trial-handle=1796,i,2359236077227598348,11370881663069320587,262144 --enable-features=MojoIpcz /prefetch:1 MD5: 9909D978B39FB7369F511D8506C17CA0)
      • msedgewebview2.exe (PID: 7608 cmdline: "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\BitComet\EBWebView" --webview-exe-name=BitComet.exe --webview-exe-version=2.07 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --disable-nacl --lang=en-GB --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=en_CH" --time-ticks-at-unix-epoch=-1713846190060310 --launch-time-ticks=4632595052 --mojo-platform-channel-handle=3696 --field-trial-handle=1796,i,2359236077227598348,11370881663069320587,262144 --enable-features=MojoIpcz /prefetch:1 MD5: 9909D978B39FB7369F511D8506C17CA0)
      • msedgewebview2.exe (PID: 7632 cmdline: "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\BitComet\EBWebView" --webview-exe-name=BitComet.exe --webview-exe-version=2.07 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --disable-nacl --lang=en-GB --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=en_CH" --time-ticks-at-unix-epoch=-1713846190060310 --launch-time-ticks=4632840062 --mojo-platform-channel-handle=3932 --field-trial-handle=1796,i,2359236077227598348,11370881663069320587,262144 --enable-features=MojoIpcz /prefetch:1 MD5: 9909D978B39FB7369F511D8506C17CA0)
      • msedgewebview2.exe (PID: 8108 cmdline: "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\BitComet\EBWebView" --webview-exe-name=BitComet.exe --webview-exe-version=2.07 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --disable-nacl --disable-gpu-compositing --lang=en-GB --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=en_CH" --time-ticks-at-unix-epoch=-1713846190060310 --launch-time-ticks=4638180191 --mojo-platform-channel-handle=4708 --field-trial-handle=1796,i,2359236077227598348,11370881663069320587,262144 --enable-features=MojoIpcz /prefetch:1 MD5: 9909D978B39FB7369F511D8506C17CA0)
    • UPNP.exe (PID: 8164 cmdline: "C:\Program Files\BitComet\tools\UPNP.exe" -add -app BitComet -lanip 192.168.2.6 -tcpport 7319 -udpport 7319 -q MD5: FEBBAF0C03103A63E0141A96535B7745)
  • BitCometService.exe (PID: 2876 cmdline: "C:\Program Files\BitComet\tools\BitCometService.exe" -service MD5: AE7FBFF183FF30913EBEB38913E8CFAD)
  • svchost.exe (PID: 3816 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • WerFault.exe (PID: 5964 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4824 -ip 4824 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • rsSyncSvc.exe (PID: 4568 cmdline: "C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -bn:ReasonLabs -dt:10 MD5: DED746A9D2D7B7AFCB3ABE1A24DD3163)
  • Uninstall.exe (PID: 2320 cmdline: "C:\Program Files\ReasonLabs\EPP\Uninstall.exe" /auto-repair=RavStub MD5: 7533BE3F2041A3C1676863FDB7822C66)
    • Uninstall.exe (PID: 1464 cmdline: "C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exe" /auto-repair=RavStub MD5: 7533BE3F2041A3C1676863FDB7822C66)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
PrivateLoaderAccording to sekoia, PrivateLoader is a modular malware whose main capability is to download and execute one or several payloads. The loader implements anti-analysis techniques, fingerprints the compromised host and reports statistics to its C2 server.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.privateloader

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\rsTime.dllJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
    C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\tmp\A7N48WB7\rsJSON.DLLJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
      C:\Program Files\ReasonLabs\EPP\rsuserSvc.Proxy.dllJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
        C:\Program Files\ReasonLabs\EPP\EDR\rsuser.JSON.dllJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          C:\Program Files\ReasonLabs\EPP\rsuser.Client.Messages.dllJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
            Click to see the 68 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            0000001B.00000003.2758473527.0000000002736000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              0000000E.00000003.2627712939.0000000002736000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                00000008.00000002.2510825818.0000000000401000.00000020.00000001.01000000.00000011.sdmpJoeSecurity_PrivateLoaderYara detected PrivateLoaderJoe Security
                  00000012.00000002.3603778711.0000020958852000.00000002.00000001.01000000.00000039.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                    0000000E.00000003.2628396239.0000000002736000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                      Click to see the 13 entries

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      18.2.RAVEndPointProtection-installer.exe.20958850000.3.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                        18.2.RAVEndPointProtection-installer.exe.20958760000.2.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                          8.2.BitCometService.exe.400000.0.unpackJoeSecurity_PrivateLoaderYara detected PrivateLoaderJoe Security
                            8.0.BitCometService.exe.400000.0.unpackJoeSecurity_PrivateLoaderYara detected PrivateLoaderJoe Security
                              17.0.BitCometService.exe.400000.0.unpackJoeSecurity_PrivateLoaderYara detected PrivateLoaderJoe Security
                                Click to see the 3 entries

                                Sigma Signatures

                                System Summary

                                barindex
                                Sigma detected: Windows Processes Suspicious Parent Directory
                                Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 6336, ProcessName: svchost.exe

                                Snort Signatures

                                No Snort rule has matched

                                Joe Sandbox Signatures

                                Click to jump to signature section

                                Show All Signature Results

                                AV Detection

                                barindex
                                Antivirus / Scanner detection for submitted sample
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exeAvira: detected
                                Multi AV Scanner detection for dropped file
                                Source: C:\Program Files\BitComet\tools\BitCometService.exeVirustotal: Detection: 7%Perma Link
                                Source: C:\Program Files\BitComet\tools\UPNP.exeVirustotal: Detection: 11%Perma Link
                                Source: C:\Program Files\BitComet\tools\Updater.exeVirustotal: Detection: 8%Perma Link
                                Multi AV Scanner detection for submitted file
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exeReversingLabs: Detection: 44%
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exeVirustotal: Detection: 48%Perma Link
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00F914F0 CryptMsgGetParam,CryptMsgGetParam,CryptMsgGetParam,CryptMsgGetParam,CertGetSubjectCertificateFromStore,CryptMsgGetParam,CertFreeCRLContext,CertFreeCRLContext,13_2_00F914F0
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00F917A0 CryptQueryObject,CryptMsgClose,CertCloseStore,CryptMsgClose,CertCloseStore,CryptMsgClose,CryptQueryObject,CryptMsgClose,CertCloseStore,CertCloseStore,CryptMsgClose,CertCloseStore,CryptMsgClose,CertCloseStore,CertCloseStore,CryptMsgClose,CertCloseStore,CryptMsgClose,CertCloseStore,CryptMsgClose,CertCloseStore,13_2_00F917A0
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00F45870 GetCurrentProcessId,GetCurrentThreadId,CreateFileW,CreateFileW,CreateFileW,CreateFileW,CreateFileW,CreateFileW,UuidCreate,UuidCreate,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,13_2_00F45870
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00F46220 GetCurrentProcessId,GetCurrentThreadId,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,DeviceIoControl,DeviceIoControl,13_2_00F46220
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00F7E610 CryptMsgClose,13_2_00F7E610
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00F467B0 GetCurrentProcessId,GetCurrentThreadId,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,DeviceIoControl,DeviceIoControl,13_2_00F467B0
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00F7EB60 CryptQueryObject,CryptMsgClose,CertCloseStore,CryptMsgClose,CertCloseStore,CryptQueryObject,CryptMsgClose,CryptMsgClose,CertCloseStore,CertCloseStore,CryptMsgClose,CertCloseStore,CryptMsgClose,CryptMsgClose,CertCloseStore,CertCloseStore,CryptMsgClose,CertCloseStore,CryptMsgClose,CertCloseStore,CryptMsgClose,CertCloseStore,13_2_00F7EB60
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00F7F150 CryptMsgGetParam,CryptMsgGetParam,CryptMsgGetParam,CertGetSubjectCertificateFromStore,CertFreeCRLContext,13_2_00F7F150
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00F7F3C0 CryptMsgGetParam,CryptMsgGetParam,CryptMsgGetParam,CertGetSubjectCertificateFromStore,CertGetNameStringW,CertGetNameStringW,CertGetCertificateChain,CertFreeCertificateChain,CertFreeCertificateChain,CertVerifyCertificateChainPolicy,CertFreeCertificateChain,CertFreeCRLContext,CertFreeCRLContext,13_2_00F7F3C0
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeCode function: 21_2_00007FF7E36F14A0 CryptQueryObject,GetLastError,CryptMsgGetParam,GetLastError,LocalAlloc,CryptMsgGetParam,GetLastError,CertFindCertificateInStore,GetLastError,CertGetNameStringW,CertGetNameStringW,LocalFree,CertFreeCertificateContext,CertCloseStore,CryptMsgClose,21_2_00007FF7E36F14A0
                                Source: C:\Program Files\BitComet\BitComet.exeRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION BitComet.exe

                                Compliance

                                barindex
                                Uses 32bit PE files
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                Found installer window with terms and condition text
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpWindow detected: HYPERLINK "http://www.bitcomet.com/doc/term-of-use.php" End User License AgreementHYPERLINK "https://www.bitcomet.com/doc/privacy-policy.php" Privacy PolicyThis will install BitComet to your computer click "Next" to continue.BitComet is a free BitTorrent download client! BitComet is powerful super-fast and easy-to-use.Welcome to BitComet Installer&NextCancel
                                Creates a directory in C:\Program Files
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitCometJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\ReadMe.txtJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\License.txtJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\ChangeLog.txtJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\BitComet.exeJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\CrashReport.exeJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\WebView2Loader.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\langJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-ar.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-bg.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-bs.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-ca.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-cs.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-da.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-de.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-el.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-en_US.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-es.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-et.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-eu.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-fa.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-fi.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-fr.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-gl.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-he.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-hr.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-hu.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-hy.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-id.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-it.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-ja.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-kk.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-kn.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-ko.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-ku.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-lt.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-lv.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-mk.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-ms.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-nb.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-ne.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-nl.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-pl.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-pt.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-pt_BR.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-ro.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-ru.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-sk.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-sl.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-sq.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-sr.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-sv.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-ta.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-th.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-tr.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-ug.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-uk.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-ur.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-vi.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-zh_CN.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-zh_TW.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\HowTo-Translate.txtJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\ip2locationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\ip2location\ip2location.binJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\toolsJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\tools\UPNP.exeJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\tools\VideoSnapshot.exeJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\tools\Updater.exeJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\tools\BitCometToastsNotifier.exeJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\tools\BitCometToastsNotifier.pngJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\tools\ChromeLauncher.exeJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\tools\ChromeLauncherManifest.jsonJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\tools\ChromeExtension.crxJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\tools\EdgeExtension.crxJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\tools\FirefoxLauncherManifest.jsonJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\tools\FirefoxExtension.xpiJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\tools\BitCometAgent_1.92.7.9.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\tools\BitCometBHO_1.5.4.11.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\tools\BitCometService.exeJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\BitComet.urlJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\uninst.exeJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\Uninstall.exe
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\uninstall.ico
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\chrome_100_percent.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\chrome_200_percent.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\icudtl.dat
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\LICENSE
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\LICENSES.chromium.html
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\af.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\am.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\ar.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\bg.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\bn.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\ca.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\cs.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\da.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\de.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\el.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\en-GB.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\en-US.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\es-419.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\es.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\et.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\fa.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\fi.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\fil.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\fr.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\gu.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\he.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\hi.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\hr.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\hu.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\id.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\it.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\ja.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\kn.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\ko.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\lt.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\lv.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\ml.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\mr.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\ms.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\nb.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\nl.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\pl.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\pt-BR.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\pt-PT.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\ro.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\ru.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\sk.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\sl.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\sr.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\sv.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\sw.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\ta.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\te.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\th.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\tr.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\uk.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\ur.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\vi.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\zh-CN.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\zh-TW.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar.sig
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\snapshot_blob.bin
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\v8_context_snapshot.bin
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\version
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\vk_swiftshader_icd.json
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\d3dcompiler_47.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\ffmpeg.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\libEGL.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\libGLESv2.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\vk_swiftshader.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\vulkan-1.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\Uninstall.exe
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\ReasonLabs-EPP.7z
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\amd64
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\ARM64
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\EDR
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\EDR\amd64
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\EDR\x64
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\elam
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\ui
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron-core
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron-core\node_modules
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron-core\node_modules\@reasonsoftware
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron-core\node_modules\@reasonsoftware\rsbridgenapi
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron-core\node_modules\@reasonsoftware\rsbridgenapi\prebuilds
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron-core\node_modules\@reasonsoftware\rsbridgenapi\prebuilds\win32-x64
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\rsbridgenapi
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\rsbridgenapi\prebuilds
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\rsbridgenapi\prebuilds\win32-x64
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state\prebuilds
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state\prebuilds\win32-x64
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\x64
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\elam\evntdrv.xml
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\elam\rselam.cat
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\elam\rsElam.inf
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsClient.Protection.Microphone.dll.config
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsuser.config
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsuserSvc.exe.config
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsExtensionHost.exe.config
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsHelper.exe.config
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsRemediation.exe.config
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\SecurityProductInformation.ini
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\Signatures.dat
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.sig
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron-core\node_modules\@reasonsoftware\rsbridgenapi\prebuilds\win32-x64\rsBridgeNapi.node
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\rsbridgenapi\prebuilds\win32-x64\rsBridgeNapi.node
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state\prebuilds\win32-x64\node.napi.node
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\WhiteList.dat
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\x64\rsKerneluser.inf
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\amd64\KernelTraceControl.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\amd64\msdia140.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\ARM64\KernelTraceControl.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\ARM64\msdia140.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\ARM64\rsYara-ARM64.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\BouncyCastle.Crypto.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\Dia2Lib.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\EDR\amd64\KernelTraceControl.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\EDR\amd64\msdia140.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\EDR\amd64\msvcp140.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\EDR\amd64\vcruntime140.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\EDR\amd64\vcruntime140_1.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\EDR\Dia2Lib.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\EDR\Microsoft.Diagnostics.FastSerialization.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\EDR\Microsoft.Diagnostics.Tracing.TraceEvent.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\EDR\OSExtensions.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\EDR\rsEDRLib.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\EDR\rsEDRSvc.exe
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\EDR\rsuser.Core.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\EDR\rsuser.JSON.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\EDR\rsuser.Loggers.Application.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\EDR\rsuser.Utilities.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Data.SQLite.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.CompilerServices.Unsafe.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\EDR\TraceReloggerLib.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\EDR\Uninstall.exe
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\EDR\x64\SQLite.Interop.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\elam\rsElam.sys
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\InstallerLib.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\mc.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\Microsoft.Bcl.HashCode.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\Microsoft.Diagnostics.FastSerialization.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\Microsoft.Diagnostics.Tracing.TraceEvent.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\Microsoft.Win32.Primitives.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\Microsoft.Win32.Registry.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\Microsoft.Win32.TaskScheduler.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\NAudio.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\netstandard.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsAssistant.exe
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsAtom.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsBridge.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsBuild.Runtime.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsClient.Protection.Microphone.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsDatabase.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsuser.API.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsuser.Client.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsuser.Client.Messages.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsuser.Core.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsuser.Data.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsuser.Extension.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsuser.Features.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsuser.Helper.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsuser.Loggers.Application.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsuser.Loggers.Business.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsuser.Needle.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsuser.Protection.BTScan.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsuser.Protection.Camera.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsuser.Protection.Edr.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsuser.Protection.Microphone.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsuser.Protection.Programs.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsuser.Protection.Ransomware.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsuser.Protection.Self.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsuser.Scan.Detections.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsuser.Scan.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsuser.Scan.OnAccess.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsuser.Scan.OnDemand.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsuser.Scan.Quarantine.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsuser.UDI.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsuser.Updater.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsuser.Utilities.Browsers.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsuser.Utilities.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsuser.Wsc.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsuserSvc.exe
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsuserSvc.Proxy.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsuserSvc.RPC.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsuserSvc.RPC.JSONInterface.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsExtensionHost.exe
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsFrame.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsHelper.exe
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsJSON.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsLitmus.A.exe
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsLitmus.S.exe
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsLogger.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsRemediation.exe
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsServiceController.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsTime.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsWSC.exe
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsWSCClient.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\SQLite.Interop.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.AppContext.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Collections.Concurrent.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Collections.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Collections.NonGeneric.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Collections.Specialized.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.ComponentModel.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.ComponentModel.EventBasedAsync.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.ComponentModel.Primitives.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.ComponentModel.TypeConverter.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Console.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Data.Common.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Data.SQLite.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Contracts.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Debug.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.FileVersionInfo.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Process.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.StackTrace.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.TextWriterTraceListener.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Tools.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.TraceSource.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Tracing.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.DirectoryServices.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Drawing.Primitives.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Dynamic.Runtime.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Globalization.Calendars.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Globalization.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Globalization.Extensions.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.IO.Compression.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.IO.Compression.ZipFile.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.IO.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.IO.FileSystem.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.IO.FileSystem.DriveInfo.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.IO.FileSystem.Primitives.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.IO.FileSystem.Watcher.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.IO.IsolatedStorage.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.IO.MemoryMappedFiles.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.IO.Pipes.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.IO.UnmanagedMemoryStream.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Linq.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Linq.Expressions.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Linq.Parallel.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Linq.Queryable.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Net.Http.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Net.NameResolution.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Net.NetworkInformation.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Net.Ping.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Net.Primitives.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Net.Requests.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Net.Security.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Net.Sockets.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Net.WebHeaderCollection.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Net.WebSockets.Client.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Net.WebSockets.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.ObjectModel.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Reflection.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Reflection.Extensions.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Reflection.Primitives.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Resources.Reader.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Resources.ResourceManager.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Resources.Writer.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.CompilerServices.Unsafe.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.CompilerServices.VisualC.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Extensions.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Handles.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.InteropServices.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.InteropServices.RuntimeInformation.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Numerics.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Serialization.Formatters.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Serialization.Json.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Serialization.Primitives.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Serialization.Xml.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Security.AccessControl.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Security.Claims.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.Algorithms.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.Csp.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.Encoding.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.Primitives.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.X509Certificates.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Security.Principal.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Security.Principal.Windows.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Security.SecureString.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Text.Encoding.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Text.Encoding.Extensions.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Text.RegularExpressions.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Threading.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Threading.Overlapped.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Threading.Tasks.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Threading.Tasks.Parallel.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Threading.Thread.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Threading.ThreadPool.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Threading.Timer.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.ValueTuple.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Xml.ReaderWriter.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Xml.XDocument.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Xml.XmlDocument.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Xml.XmlSerializer.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Xml.XPath.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Xml.XPath.XDocument.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\TraceReloggerLib.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\ui\EPP.exe
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\x64\7z64.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\x64\ext_x64.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\x64\lz4_x64.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\x64\rsCamFilter020502.sys
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\x64\rsJournal-x64.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\x64\rsKerneluser.sys
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\x64\rsYara-x64.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\x64\SQLite.Interop.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\uninstall.ico
                                Creates a software uninstall entry
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ReasonLabs-EPP
                                Creates install or setup log file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RAVEndPointProtection-installer.exe.log
                                Creates license or readme file
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeFile created: C:\Program Files\BitComet\ReadMe.txtJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeFile created: C:\Program Files\BitComet\License.txtJump to behavior
                                PE / OLE file has a valid certificate
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exeStatic PE information: certificate valid
                                Contains modern PE file flags such as dynamic base (ASLR) or NX
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                Binary contains paths to debug symbols
                                Source: Binary string: F:\develop\VideoSnap\app\Release_unicode\VideoSnapshot.pdb source: BitComet_2.07_setup.exe, 00000006.00000002.2559900252.0000000002996000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: E:\develop\BitCometAgent_ActiveX\app\Release_Unicode\BitCometAgent_ActiveX.pdb source: BitComet_2.07_setup.exe, 00000006.00000002.2559900252.000000000270A000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: rsAtom.pdb source: mrybn0ui.exe, 0000000E.00000003.2626020716.0000000002731000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\rsStubActivator\rsStubActivator\rsStubActivator\obj\Release\net462\rsStubActivator.pdb source: prod0.exe, 0000000C.00000000.2574778574.000002A71BA42000.00000002.00000001.01000000.0000001A.sdmp
                                Source: Binary string: rsTime.pdb source: mrybn0ui.exe, 0000000E.00000003.2629767360.0000000002730000.00000004.00000020.00020000.00000000.sdmp, Uninstall.exe, 0000001B.00000003.2758473527.0000000002736000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: E:\develop\tools\desktop-toasts\Release\BitCometToastsNotifier.pdb source: BitComet_2.07_setup.exe, 00000006.00000002.2559900252.000000000270A000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\Source\Repos\DS-Platform\zbShield-Utils-CPP\zbShieldUtils\bin\Release\zbShieldUtils.pdb source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2645128806.0000000007670000.00000004.00001000.00020000.00000000.sdmp
                                Source: Binary string: D:\a\rsStub\rsStub\RavStub\obj\Release\RavStub.pdb source: mrybn0ui.exe, 0000000E.00000003.2622602906.000000000273A000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\rsSyncSvc\rsSyncSvc\x64\Release\rsSyncSvc.pdb< source: mrybn0ui.exe, 0000000E.00000003.2631416391.0000000002739000.00000004.00000020.00020000.00000000.sdmp, rsSyncSvc.exe, 00000018.00000000.2675573107.00007FF7E3787000.00000002.00000001.01000000.00000021.sdmp
                                Source: Binary string: D:\a\rsStub\rsStub\x64\Release\ArchiveUtility.pdb source: mrybn0ui.exe, 0000000E.00000003.2623098080.0000000002730000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: d:\Develop\BitCometExtension_IE\app\release_unicode\BitCometBHO.pdb source: BitComet_2.07_setup.exe, 00000006.00000002.2559900252.000000000270A000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\rsStub\rsStub\rsStubLib\obj\Release\rsStubLib.pdb source: mrybn0ui.exe, 0000000E.00000003.2629256451.0000000002736000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: #F:\develop\VideoSnap\app\Release_unicode\VideoSnapshot.pdb source: BitComet_2.07_setup.exe, 00000006.00000002.2559900252.0000000002996000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net452\Microsoft.Win32.TaskScheduler.pdbSHA256 source: mrybn0ui.exe, 0000000E.00000003.2623933047.000000000273D000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: E:\develop\BitCometExtension_Chrome\bc_launcher_for_chrome\Release\ChromeLauncher.pdb source: BitComet_2.07_setup.exe, 00000006.00000002.2559900252.000000000270A000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: rsDatabase.pdb source: mrybn0ui.exe, 0000000E.00000003.2626687861.0000000002733000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netfx\System.ValueTuple.pdb source: mrybn0ui.exe, 0000000E.00000003.2625390581.0000000002739000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: c:\jenkins\workspace\ebAdvisor_WABinary_release_4.1.1\build\Win32\Release\SaBsi.pdb source: saBSI.exe, 0000000D.00000000.2596253742.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmp, saBSI.exe, 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmp
                                Source: Binary string: C:\dev\sqlite\dotnet\obj\2015\System.Data.SQLite.2015\Release\System.Data.SQLite.pdb@ source: mrybn0ui.exe, 0000000E.00000003.2624821496.0000000002737000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\dev\sqlite\dotnet\obj\2015\System.Data.SQLite.2015\Release\System.Data.SQLite.pdb source: mrybn0ui.exe, 0000000E.00000003.2624821496.0000000002737000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: rsLogger.pdb source: mrybn0ui.exe, 0000000E.00000003.2628396239.0000000002736000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net452\Microsoft.Win32.TaskScheduler.pdb source: mrybn0ui.exe, 0000000E.00000003.2623933047.000000000273D000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: rsJSON.pdb source: mrybn0ui.exe, 0000000E.00000003.2627712939.0000000002736000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\develop\CrashReport\CrashRpt_v3\bin\x64\Release LIB\CrashReport.pdbx source: BitComet.exe, 0000000F.00000003.2645391968.00000246CED30000.00000004.00001000.00020000.00000000.sdmp
                                Source: Binary string: D:\a\rsSyncSvc\rsSyncSvc\x64\Release\rsSyncSvc.pdb source: mrybn0ui.exe, 0000000E.00000003.2631416391.0000000002739000.00000004.00000020.00020000.00000000.sdmp, rsSyncSvc.exe, 00000018.00000000.2675573107.00007FF7E3787000.00000002.00000001.01000000.00000021.sdmp
                                Source: Binary string: rsLogger.pdbx source: mrybn0ui.exe, 0000000E.00000003.2628396239.0000000002736000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\develop\BitComet_2.07\app\Release_unicode_x64\GUI_BitComet_wx.pdb source: BitComet.exe, 0000000F.00000000.2641241995.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmp, BitComet.exe, 0000000F.00000002.2658160940.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmp
                                Source: Binary string: D:\develop\CrashReport\CrashRpt_v3\bin\x64\Release LIB\CrashReport.pdb source: BitComet.exe, 0000000F.00000003.2645391968.00000246CED30000.00000004.00001000.00020000.00000000.sdmp

                                Spreading

                                barindex
                                Yara detected PrivateLoader
                                Source: Yara matchFile source: 8.2.BitCometService.exe.400000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 8.0.BitCometService.exe.400000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 17.0.BitCometService.exe.400000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.2.BitComet_2.07_setup.exe.2997c2d.3.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.2.BitComet_2.07_setup.exe.2c26c59.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.2.BitComet_2.07_setup.exe.2997c2d.3.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 00000008.00000002.2510825818.0000000000401000.00000020.00000001.01000000.00000011.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000008.00000000.2507776107.0000000000401000.00000020.00000001.01000000.00000011.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000002.2559900252.0000000002996000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000011.00000000.2656115134.0000000000401000.00000020.00000001.01000000.00000011.sdmp, type: MEMORY
                                Source: Yara matchFile source: C:\Program Files\BitComet\tools\VideoSnapshot.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\BitComet\tools\BitCometService.exe, type: DROPPED
                                Source: C:\Program Files\BitComet\BitComet.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                                Source: C:\Program Files\BitComet\BitComet.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                                Source: C:\Program Files\BitComet\BitComet.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                                Source: C:\Program Files\BitComet\BitComet.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                                Source: C:\Program Files\BitComet\BitComet.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                                Source: C:\Program Files\BitComet\BitComet.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                                Source: C:\Program Files\BitComet\BitComet.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                                Source: C:\Program Files\BitComet\BitComet.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                                Source: C:\Program Files\BitComet\BitComet.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                                Source: C:\Program Files\BitComet\BitComet.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                                Source: C:\Program Files\BitComet\BitComet.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
                                Source: C:\Program Files\BitComet\BitComet.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
                                Source: C:\Program Files\BitComet\BitComet.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                                Source: C:\Program Files\BitComet\BitComet.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
                                Source: C:\Program Files\BitComet\BitComet.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                                Source: C:\Program Files\BitComet\BitComet.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeCode function: 6_2_0040672B FindFirstFileW,FindClose,6_2_0040672B
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeCode function: 6_2_00405AFA CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,6_2_00405AFA
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeCode function: 6_2_00402868 FindFirstFileW,6_2_00402868
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00FC9BF0 FindFirstFileExW,13_2_00FC9BF0
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCode function: 25_2_004CDF28 FindFirstFileExW,25_2_004CDF28
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpFile opened: C:\Users\user\AppDataJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpFile opened: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmpJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpFile opened: C:\Users\user\AppData\LocalJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpFile opened: C:\Users\userJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpFile opened: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extractJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpFile opened: C:\Users\user\AppData\Local\TempJump to behavior

                                Networking

                                barindex
                                Yara detected PrivateLoader
                                Source: Yara matchFile source: 8.2.BitCometService.exe.400000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 8.0.BitCometService.exe.400000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 17.0.BitCometService.exe.400000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.2.BitComet_2.07_setup.exe.2997c2d.3.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.2.BitComet_2.07_setup.exe.2c26c59.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.2.BitComet_2.07_setup.exe.2997c2d.3.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 00000008.00000002.2510825818.0000000000401000.00000020.00000001.01000000.00000011.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000008.00000000.2507776107.0000000000401000.00000020.00000001.01000000.00000011.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000002.2559900252.0000000002996000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000011.00000000.2656115134.0000000000401000.00000020.00000001.01000000.00000011.sdmp, type: MEMORY
                                Source: Yara matchFile source: C:\Program Files\BitComet\tools\VideoSnapshot.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\BitComet\tools\BitCometService.exe, type: DROPPED
                                Yara detected Generic Downloader
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\EDR\rsuser.Utilities.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\EDR\rsuser.Utilities.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\EDR\rsuser.Core.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\netstandard.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsuser.API.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\EDR\rsuser.Core.dll, type: DROPPED
                                Source: unknownNetwork traffic detected: IP country count 36
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeCode function: 21_2_00007FF7E36FFAA0 URLDownloadToFileA,21_2_00007FF7E36FFAA0
                                Source: msedgewebview2.exe, 00000020.00000003.2947566246.0000239C0046C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Math.round(p);v["gtm.videoCurrentTime"]=Math.round(q);v["gtm.videoElapsedTime"]=Math.round(f);v["gtm.videoPercent"]=r;v["gtm.videoVisible"]=t;return v},Ij:function(){e=zb()},pd:function(){d()}}};var dc=ia(["data-gtm-yt-inspected-"]),xC=["www.youtube.com","www.youtube-nocookie.com"],yC,zC=!1; equals www.youtube.com (Youtube)
                                Source: BitComet_stats.exe, 00000009.00000003.2576380941.0000000007DDF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: UeBbej.jsdata20Xfarg0rndYdwimgDCCbgtmiZdzonemacroDgRcUfarg1DbdfTi10filteremailaeclversiongtm.jszactid:rootphonebedlzi__clexFatalniupdateconsentrefundforEachfdceVfdcEbZeUi__eclAWrulesjataxpolicyZmmacrosaddressQaoiAi__ehlSclaFbAalfdeGTMPjAjebifeventRaBaCaMmadd__evlBjfb__eYfefWjyatagsruntimeGbgdng__falsourceReeegbTcfebkhccharAt__fileicnGhgeic_lpsapp_idHbhlfjUcBislicehd__fslcacheIbiedkreducejgunshiftfiZfjc__hlBUTTONhbJikcKbibLcogINPUT__jelgjtyperipageleQjretokenekmelcreversenk__lclCiagjblinkerpjincludeznMc__sdlijfkmctitlelistSagiffcgmapgoogleafma__tlreplaceTasortDimethodkgskgpWeUjdnkb__ytlDdauidlgtranncJS_VARgtagSeteclkiPOSTocEijdYhreNcFdkdbamodedomainsXjVaKi/a?id=name__tgIano-corsgkZh_agvaluenbGdsrcawhiobSilkHdDamkOhpgehlrepconfigSafari_awIdVefollowlbBRjsTridentaipbCoastsomegaawcFfresource_host_nameauto_detectpromotionsexDescriptiontrip_typepurchaseshippinggtm.initpage_load/gtm/static/quantitysubstringcontent_groupurl_passthroughview_itemfieldFilterspageviewadd_to_wishlistelementscontent_typesnippet_loadlastIndexOftransportparseUrlexceptionis_passthroughisManualEnabled_sst_parameterscurrencyCodewww.youtube.comgtmOnSuccessad_storageconversion_idfirst_openpriorityCLOSURE_FLAGSlanguagefl_ar_dedupeemailTypephone_numbersampleRatead_user_datacopyFromWindowno-storepage_locationfirst_visitreduceRightinitializedemailValuesetMetadatacredentialsmatch_id0.005000userDatagtag.configsecurity_groupsapp_nameinteractivequeryPermissionphoneTypesample_rateeventCategorygtag.getfunctionNametoStringCSS_SELECTORentitieskeepaliveaccept_incomingconsent_updatedphoneValueconversion_apiapp_versiontag_execute_endcss_selectorsetInWindowscreen_namein_app_purchasedecorate_formstimingVarwait_for_updatetoLowerCasegetReferrerUrlpage_viewjs_variablefirst_name__pausedcustomPixelsevent_callbackapp_removeselector_typefirstNameTypegac_gclidvtp_isEnabledcookie_domainurl_positionscreen_viewsearch_termeventLabelnonGooglePixelsfirstNameValueredirectgac_wbraidaw_remarketingevent_categorycookie_expiresreadTitlehasOwnPropertylast_nameisEnabledsend_page_viewsession_startuser_datalastNameTypeObject.assigncookie_flagsnew_customer/gtag/jsMicrosoft EdgelastNameValuecookie_nametiming_completenon_interactiondiscountdisplayfeaturesreferrerstreetTypeautoAddressEnabledsetDefaultConsentStateengagement_time_msecfl_activity_groupis_legacy_loadeddata-gtm-yt-inspected-copyFromDataLayernon_personalized_adsallow_interest_groupsenhanced_client_idad_personalizationtag_callback_errorallowCodeDataSourcesfl_advertiser_id_user_agent_bitnessinternal.getElementById__ogt_1p_data_v2enhanced_conversionsinternal.getHtmlIdmanualEmailEnabledconversion_labeltag_callback_failurevtp_isAutoEnabledinternal.setFormActionconversion_linkerapp_installer_id_user_agent_mobilegetQueryParametersmanualPhoneEnabledtag_callback_successanalytics_storagecanonicalContainerIdestimated_delivery_date_user_agent_modelinternal.gtagConfiginternal.loadGoogleTagfl_random_numbertc_privacy_string_user_agent_platformmanualAddressEnabledinternal.copyPreHitr
                                Source: msedgewebview2.exe, 00000020.00000003.2947566246.0000239C0046C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: c?"runIfCanceled":"runIfUncanceled",[]);if(!g.length)return!0;var h=jA(a,c,e);M(121);if("https://www.facebook.com/tr/"===h["gtm.elementUrl"])return M(122),!0;if(d&&f){for(var m=Jb(b,g.length),n=0;n<g.length;++n)g[n](h,m);return m.done}for(var p=0;p<g.length;++p)g[p](h,function(){});return!0},mA=function(){var a=[],b=function(c){return pb(a,function(d){return d.form===c})};return{store:function(c,d){var e=b(c);e?e.button=d:a.push({form:c,button:d})},get:function(c){var d=b(c);return d?d.button:null}}}, equals www.facebook.com (Facebook)
                                Source: msedgewebview2.exe, 00000020.00000003.2947566246.0000239C0046C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: e||f||g.length||h.length))return;var n={Tg:d,Rg:e,Sg:f,Dh:g,Eh:h,xe:m,zb:b},p=D.YT,q=function(){FC(n)};if(p)return p.ready&&p.ready(q),b;var r=D.onYouTubeIframeAPIReady;D.onYouTubeIframeAPIReady=function(){r&&r();q()};I(function(){for(var t=H.getElementsByTagName("script"),u=t.length,v=0;v<u;v++){var w=t[v].getAttribute("src");if(IC(w,"iframe_api")||IC(w,"player_api"))return b}for(var x=H.getElementsByTagName("iframe"),y=x.length,A=0;A<y;A++)if(!zC&&GC(x[A],n.xe))return Ic("https://www.youtube.com/iframe_api"), equals www.youtube.com (Youtube)
                                Source: BitComet_stats.exe, 00000009.00000003.2682186092.0000000008846000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ioritycampaign_termuserDatastreetValuesetHitDataaffiliationsendPixelsocialAction__ccd_ga_firsttimingLabelcss_selectorclient_idwww.youtube.comconversionRulessocialTargetcityType__ccd_ga_lastgetMetadataadd_to_cartnoGtmEventcityValuejs_variableay equals www.youtube.com (Youtube)
                                Source: BitComet_stats.exe, 00000009.00000003.2661040031.00000000037BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: return b}vC.H="internal.enableAutoEventOnTimer";var dc=ia(["data-gtm-yt-inspected-"]),xC=["www.youtube.com","www.youtube-nocookie.com"],yC,zC=!1; equals www.youtube.com (Youtube)
                                Source: BitComet_stats.exe, 00000009.00000003.2709111423.0000000007DE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: stIndexOftransportparseUrlexceptionis_passthroughisManualEnabled_sst_parameterscurrencyCodewww.youtube.comgtmOnSuccessad_storageconversion_idfirst_open equals www.youtube.com (Youtube)
                                Source: msedgewebview2.exe, 00000020.00000003.2947566246.0000239C0046C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: var KB=function(a,b,c,d,e){var f=Kz("fsl",c?"nv.mwt":"mwt",0),g;g=c?Kz("fsl","nv.ids",[]):Kz("fsl","ids",[]);if(!g.length)return!0;var h=Gz(a,"gtm.formSubmit",g),m=a.action;m&&m.tagName&&(m=a.cloneNode(!1).action);M(121);if("https://www.facebook.com/tr/"===m)return M(122),!0;h["gtm.elementUrl"]=m;h["gtm.formCanceled"]=c;null!=a.getAttribute("name")&&(h["gtm.interactedFormName"]=a.getAttribute("name"));e&&(h["gtm.formSubmitElement"]=e,h["gtm.formSubmitElementText"]=e.value);if(d&&f){if(!vy(h,wy(b, equals www.facebook.com (Facebook)
                                Source: BitComet_stats.exe, 00000009.00000003.2553032136.0000000003629000.00000004.00000020.00020000.00000000.sdmp, BitComet_stats.exe, 00000009.00000003.2569900816.00000000083B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
                                Source: BitComet_2.07_setup.exe, 00000006.00000002.2559900252.000000000270A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ftp://http://%.20s%ddefault%d%.20scopying
                                Source: BitComet_2.07_setup.exe, 00000006.00000002.2559900252.0000000002996000.00000004.00000020.00020000.00000000.sdmp, BitComet_2.07_setup.exe, 00000006.00000003.2506417692.000000000321E000.00000004.00000020.00020000.00000000.sdmp, BitCometService.exe, 00000008.00000000.2507909936.0000000000596000.00000002.00000001.01000000.00000011.sdmp, BitCometService.exe, 00000008.00000002.2510943819.0000000000596000.00000002.00000001.01000000.00000011.sdmp, BitComet.exe, 0000000F.00000000.2641241995.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmp, BitComet.exe, 0000000F.00000002.2658160940.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmpString found in binary or memory: http://.css
                                Source: BitComet_stats.exe, 00000009.00000003.2682186092.0000000008846000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://.debug_mode
                                Source: BitComet_stats.exe, 00000009.00000003.2681261391.0000000007910000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://.googlecom/optimize/opt-launch.html?
                                Source: BitComet_2.07_setup.exe, 00000006.00000002.2559900252.0000000002996000.00000004.00000020.00020000.00000000.sdmp, BitComet_2.07_setup.exe, 00000006.00000003.2506417692.000000000321E000.00000004.00000020.00020000.00000000.sdmp, BitCometService.exe, 00000008.00000000.2507909936.0000000000596000.00000002.00000001.01000000.00000011.sdmp, BitCometService.exe, 00000008.00000002.2510943819.0000000000596000.00000002.00000001.01000000.00000011.sdmp, BitComet.exe, 0000000F.00000000.2641241995.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmp, BitComet.exe, 0000000F.00000002.2658160940.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmpString found in binary or memory: http://.jpg
                                Source: BitComet.exe, 0000000F.00000000.2641241995.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmp, BitComet.exe, 0000000F.00000002.2658160940.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmpString found in binary or memory: http://127.0.0.1
                                Source: BitComet.exe, 0000000F.00000000.2641241995.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmp, BitComet.exe, 0000000F.00000002.2658160940.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmpString found in binary or memory: http://127.0.0.1Note:
                                Source: BitComet.exe, 0000000F.00000000.2641241995.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmp, BitComet.exe, 0000000F.00000002.2658160940.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmpString found in binary or memory: http://127.0.0.1document.cookie=
                                Source: BitComet_stats.exe, 00000009.00000003.2576839919.0000000007D65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://GTM-&sign=stateparent/gtm.js&l=ctid&cx=ccontext&gtm=http://&sign=stateparent
                                Source: msedgewebview2.exe, 0000001F.00000003.2752840000.0000663000160000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/1423136
                                Source: msedgewebview2.exe, 0000001F.00000003.2752840000.0000663000160000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/2970
                                Source: msedgewebview2.exe, 0000001F.00000003.2752840000.0000663000160000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3205
                                Source: msedgewebview2.exe, 0000001F.00000003.2752840000.0000663000160000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3498
                                Source: msedgewebview2.exe, 0000001F.00000003.2752840000.0000663000160000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3586
                                Source: msedgewebview2.exe, 0000001F.00000003.2752840000.0000663000160000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3970
                                Source: msedgewebview2.exe, 0000001F.00000003.2752840000.0000663000160000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/4324
                                Source: msedgewebview2.exe, 0000001F.00000003.2752840000.0000663000160000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/4384
                                Source: msedgewebview2.exe, 0000001F.00000003.2752840000.0000663000160000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/4551
                                Source: msedgewebview2.exe, 0000001F.00000003.2752840000.0000663000160000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/4722
                                Source: msedgewebview2.exe, 0000001F.00000003.2752840000.0000663000160000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/4901
                                Source: msedgewebview2.exe, 0000001F.00000003.2752840000.0000663000160000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/5007
                                Source: msedgewebview2.exe, 0000001F.00000003.2752840000.0000663000160000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/5535
                                Source: msedgewebview2.exe, 0000001F.00000003.2752840000.0000663000160000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/5658
                                Source: msedgewebview2.exe, 0000001F.00000003.2752840000.0000663000160000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/5750
                                Source: msedgewebview2.exe, 0000001F.00000003.2752840000.0000663000160000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/6041
                                Source: msedgewebview2.exe, 0000001F.00000003.2752840000.0000663000160000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/6755
                                Source: msedgewebview2.exe, 0000001F.00000003.2752840000.0000663000160000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/7036
                                Source: msedgewebview2.exe, 0000001F.00000003.2752840000.0000663000160000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/7279
                                Source: msedgewebview2.exe, 0000001F.00000003.2752840000.0000663000160000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/7370
                                Source: msedgewebview2.exe, 0000001F.00000003.2752840000.0000663000160000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/7724
                                Source: msedgewebview2.exe, 0000001F.00000003.2752840000.0000663000160000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/7760
                                Source: msedgewebview2.exe, 0000001F.00000003.2752840000.0000663000160000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/7761
                                Source: msedgewebview2.exe, 0000001F.00000003.2752840000.0000663000160000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/8280
                                Source: saBSI.exe, 0000000D.00000003.2982128371.0000000005A69000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2854539708.0000000005A68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCer
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2595391987.0000000004F20000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3200279875.0000000005340000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2828873242.000000000555E000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2852436072.000000000555E000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2802730470.000000000555C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2808350129.0000000005B02000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2854539708.0000000005A68000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2823686677.000000000555E000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2796614872.00000000058C8000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2828353985.0000000005A2C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2850354846.0000000005C3D000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2800277114.000000000557F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2841061853.000000000555E000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000002.3006435354.0000000005B43000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2828759574.0000000005A68000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2627712939.0000000002736000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2628396239.0000000002736000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2624821496.0000000002737000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2626020716.0000000002731000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2631416391.0000000002739000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2629256451.0000000002736000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2595391987.0000000004F20000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3200279875.0000000005340000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2852436072.000000000555E000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2854539708.0000000005A68000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2796614872.00000000058C8000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2850354846.0000000005C3D000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000002.2995644763.0000000000CDE000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2800277114.000000000557F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2841061853.000000000555E000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000002.3006340243.0000000005B01000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2627712939.0000000002736000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2628396239.0000000002736000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2624821496.0000000002737000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2626020716.0000000002731000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2631416391.0000000002739000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2629256451.0000000002736000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2626687861.0000000002733000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2629767360.0000000002730000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2623098080.0000000002730000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2623933047.000000000273D000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2625390581.0000000002739000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2595391987.0000000004F20000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3200279875.0000000005340000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2828873242.000000000555E000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2852436072.000000000555E000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2802730470.000000000555C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2808350129.0000000005B02000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2854539708.0000000005A68000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2823686677.000000000555E000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2796614872.00000000058C8000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2850354846.0000000005C3D000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2800277114.000000000557F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2841061853.000000000555E000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2627712939.0000000002736000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2628396239.0000000002736000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2624821496.0000000002737000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2626020716.0000000002731000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2631416391.0000000002739000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2629256451.0000000002736000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2626687861.0000000002733000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2629767360.0000000002730000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2623098080.0000000002730000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3191334764.00000000035C1000.00000004.00001000.00020000.00000000.sdmp, BitComet_2.07_setup.exe, 00000006.00000002.2559900252.000000000270A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ccsca2021.crl.certum.pl/ccsca2021.crl0s
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3191334764.00000000035C1000.00000004.00001000.00020000.00000000.sdmp, BitComet_2.07_setup.exe, 00000006.00000002.2559900252.000000000270A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ccsca2021.ocsp-certum.com05
                                Source: BitComet_stats.exe, 00000009.00000003.2710273210.0000000007AE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cdn.ampproject.org
                                Source: BitComet_stats.exe, 00000009.00000003.2702507573.00000000031B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cdn.ampproject.org(
                                Source: BitComet_stats.exe, 00000009.00000003.2631350199.00000000078DE000.00000004.00000800.00020000.00000000.sdmp, BitComet_stats.exe, 00000009.00000003.2681579223.00000000078DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cdn.ampproject.org/
                                Source: saBSI.exe, saBSI.exe, 0000000D.00000002.2995644763.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000000.2596253742.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmp, saBSI.exe, 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpString found in binary or memory: http://clients2.google.com/service/update2/crx
                                Source: saBSI.exe, 0000000D.00000002.2995644763.0000000000C7D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://clients2.google.com/service/update2/crxm9c$
                                Source: saBSI.exe, 0000000D.00000002.2995644763.0000000000C7D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://clients2.google.com/service/update2/crxp2
                                Source: BitComet.exe, 0000000F.00000002.2658160940.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmpString found in binary or memory: http://cn.bitcomet.com/achive/BitComet_1.20_setup.exe
                                Source: BitComet.exe, 0000000F.00000000.2641241995.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmp, BitComet.exe, 0000000F.00000002.2658160940.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmpString found in binary or memory: http://cn.bitcomet.com/achive/BitComet_1.20_setup.exemirror
                                Source: BitComet.exe, 0000000F.00000003.2645391968.00000246CED30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://code.google.com/p/crashrpt/wiki/FAQ
                                Source: BitComet.exe, 0000000F.00000000.2641241995.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmp, BitComet.exe, 0000000F.00000002.2658160940.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmpString found in binary or memory: http://crashfix.bitcomet.com/crashfix/index.php/crashReport/uploadExternalhttps://www.bitcomet.com/e
                                Source: BitComet_2.07_setup.exe, 00000006.00000002.2559900252.0000000002996000.00000004.00000020.00020000.00000000.sdmp, BitComet_2.07_setup.exe, 00000006.00000003.2506417692.000000000321E000.00000004.00000020.00020000.00000000.sdmp, BitComet_2.07_setup.exe, 00000006.00000002.2559900252.000000000270A000.00000004.00000020.00020000.00000000.sdmp, BitComet.exe, 0000000F.00000003.2645391968.00000246CEEF5000.00000004.00001000.00020000.00000000.sdmp, BitComet.exe, 00000010.00000003.2654393263.0000021223EF5000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.certum.pl/cscasha2.crl0q
                                Source: BitComet_2.07_setup.exe, 00000006.00000002.2559900252.0000000002996000.00000004.00000020.00020000.00000000.sdmp, BitComet_2.07_setup.exe, 00000006.00000003.2506417692.000000000321E000.00000004.00000020.00020000.00000000.sdmp, BitComet_2.07_setup.exe, 00000006.00000002.2559900252.000000000270A000.00000004.00000020.00020000.00000000.sdmp, BitComet.exe, 0000000F.00000003.2645391968.00000246CEEF5000.00000004.00001000.00020000.00000000.sdmp, BitComet.exe, 00000010.00000003.2654393263.0000021223EF5000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.certum.pl/ctnca.crl0k
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3191334764.00000000035C1000.00000004.00001000.00020000.00000000.sdmp, BitComet_2.07_setup.exe, 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmp, BitComet_2.07_setup.exe, 00000006.00000002.2559900252.0000000002996000.00000004.00000020.00020000.00000000.sdmp, BitComet_2.07_setup.exe, 00000006.00000003.2506417692.000000000321E000.00000004.00000020.00020000.00000000.sdmp, BitComet_2.07_setup.exe, 00000006.00000002.2559900252.000000000270A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3191334764.00000000035C1000.00000004.00001000.00020000.00000000.sdmp, BitComet_2.07_setup.exe, 00000006.00000002.2559900252.0000000002996000.00000004.00000020.00020000.00000000.sdmp, BitComet_2.07_setup.exe, 00000006.00000003.2506417692.000000000321E000.00000004.00000020.00020000.00000000.sdmp, BitComet_2.07_setup.exe, 00000006.00000002.2559900252.000000000270A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.certum.pl/ctsca2021.crl0o
                                Source: mrybn0ui.exe, 0000000E.00000003.2627712939.0000000002736000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2628396239.0000000002736000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2624821496.0000000002737000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2626020716.0000000002731000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2631416391.0000000002739000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2629256451.0000000002736000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2626687861.0000000002733000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2629767360.0000000002730000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2623098080.0000000002730000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2623933047.000000000273D000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2625390581.0000000002739000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2622602906.000000000273A000.00000004.00000020.00020000.00000000.sdmp, Uninstall.exe, 0000001B.00000003.2758473527.0000000002736000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2595391987.0000000004F20000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3200279875.0000000005340000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2841061853.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2828873242.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2823686677.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2852436072.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2796614872.00000000058C8000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2850354846.0000000005C3D000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2847271705.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2800277114.000000000557F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000002.3006435354.0000000005B43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2595391987.0000000004F20000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3200279875.0000000005340000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2841061853.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2828873242.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2823686677.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2852436072.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2830205619.0000000005B01000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2796614872.00000000058C8000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2850354846.0000000005C3D000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2847271705.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2800277114.000000000557F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
                                Source: mrybn0ui.exe, 0000000E.00000003.2627712939.0000000002736000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2628396239.0000000002736000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2624821496.0000000002737000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2626020716.0000000002731000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2631416391.0000000002739000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2629256451.0000000002736000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2626687861.0000000002733000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2629767360.0000000002730000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2623098080.0000000002730000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2623933047.000000000273D000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2625390581.0000000002739000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2622602906.000000000273A000.00000004.00000020.00020000.00000000.sdmp, Uninstall.exe, 0000001B.00000003.2758473527.0000000002736000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
                                Source: mrybn0ui.exe, 0000000E.00000003.2627712939.0000000002736000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2628396239.0000000002736000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2624821496.0000000002737000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2626020716.0000000002731000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2631416391.0000000002739000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2629256451.0000000002736000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2626687861.0000000002733000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2629767360.0000000002730000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2623098080.0000000002730000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2623933047.000000000273D000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2625390581.0000000002739000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2622602906.000000000273A000.00000004.00000020.00020000.00000000.sdmp, Uninstall.exe, 0000001B.00000003.2758473527.0000000002736000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2595391987.0000000004F20000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3200279875.0000000005340000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2828873242.000000000555E000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2852436072.000000000555E000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2802730470.000000000555C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2808350129.0000000005B02000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2854539708.0000000005A68000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2823686677.000000000555E000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2796614872.00000000058C8000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2828353985.0000000005A2C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2850354846.0000000005C3D000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2800277114.000000000557F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2841061853.000000000555E000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000002.3006435354.0000000005B43000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2828759574.0000000005A68000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2627712939.0000000002736000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2628396239.0000000002736000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2624821496.0000000002737000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2626020716.0000000002731000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2631416391.0000000002739000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2629256451.0000000002736000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2595391987.0000000004F20000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3200279875.0000000005340000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2852436072.000000000555E000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2854539708.0000000005A68000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2796614872.00000000058C8000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2850354846.0000000005C3D000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000002.2995644763.0000000000CDE000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2800277114.000000000557F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2841061853.000000000555E000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000002.3006340243.0000000005B01000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2627712939.0000000002736000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2628396239.0000000002736000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2624821496.0000000002737000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2626020716.0000000002731000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2631416391.0000000002739000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2629256451.0000000002736000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2626687861.0000000002733000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2629767360.0000000002730000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2623098080.0000000002730000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2623933047.000000000273D000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2625390581.0000000002739000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2595391987.0000000004F20000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3200279875.0000000005340000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2828873242.000000000555E000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2852436072.000000000555E000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2802730470.000000000555C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2808350129.0000000005B02000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2854539708.0000000005A68000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2823686677.000000000555E000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2796614872.00000000058C8000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2850354846.0000000005C3D000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2800277114.000000000557F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2841061853.000000000555E000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2627712939.0000000002736000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2628396239.0000000002736000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2624821496.0000000002737000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2626020716.0000000002731000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2631416391.0000000002739000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2629256451.0000000002736000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2626687861.0000000002733000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2629767360.0000000002730000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2623098080.0000000002730000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                                Source: msedgewebview2.exe, 00000025.00000003.2784746957.00004F78006AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crrev.com/c/2555698.
                                Source: mrybn0ui.exe, 0000000E.00000003.2627712939.0000000002736000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2628396239.0000000002736000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2624821496.0000000002737000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2626020716.0000000002731000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2631416391.0000000002739000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2629256451.0000000002736000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2626687861.0000000002733000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2629767360.0000000002730000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2623098080.0000000002730000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2623933047.000000000273D000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2625390581.0000000002739000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2622602906.000000000273A000.00000004.00000020.00020000.00000000.sdmp, Uninstall.exe, 0000001B.00000003.2758473527.0000000002736000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
                                Source: mrybn0ui.exe, 0000000E.00000003.2627712939.0000000002736000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2628396239.0000000002736000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2624821496.0000000002737000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2626020716.0000000002731000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2631416391.0000000002739000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2629256451.0000000002736000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2626687861.0000000002733000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2629767360.0000000002730000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2623098080.0000000002730000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2623933047.000000000273D000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2625390581.0000000002739000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2622602906.000000000273A000.00000004.00000020.00020000.00000000.sdmp, Uninstall.exe, 0000001B.00000003.2758473527.0000000002736000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
                                Source: BitComet_2.07_setup.exe, 00000006.00000002.2559900252.0000000002996000.00000004.00000020.00020000.00000000.sdmp, BitComet_2.07_setup.exe, 00000006.00000003.2506417692.000000000321E000.00000004.00000020.00020000.00000000.sdmp, BitComet_2.07_setup.exe, 00000006.00000002.2559900252.000000000270A000.00000004.00000020.00020000.00000000.sdmp, BitComet.exe, 0000000F.00000003.2645391968.00000246CEEF5000.00000004.00001000.00020000.00000000.sdmp, BitComet.exe, 00000010.00000003.2654393263.0000021223EF5000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cscasha2.ocsp-certum.com04
                                Source: saBSI.exe, 0000000D.00000002.2995644763.0000000000CDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                                Source: saBSI.exe, 0000000D.00000002.2995644763.0000000000CDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enKlN%
                                Source: BitComet.exe, 0000000F.00000000.2641241995.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmp, BitComet.exe, 0000000F.00000002.2658160940.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmpString found in binary or memory: http://download.bitcomet.com/bitcomet/bitcomet_setup.exe
                                Source: BitComet.exe, 0000000F.00000000.2641241995.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmp, BitComet.exe, 0000000F.00000002.2658160940.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmpString found in binary or memory: http://download.bitcomet.com/bitcomet/bitcomet_setup.exe404
                                Source: svchost.exe, 0000000B.00000003.2546811160.0000024060470000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                                Source: BitComet_2.07_setup.exe, 00000006.00000002.2559900252.000000000270A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://google.atcomet.com/b/
                                Source: BitComet_2.07_setup.exe, 00000006.00000002.2559900252.0000000002996000.00000004.00000020.00020000.00000000.sdmp, BitComet_2.07_setup.exe, 00000006.00000003.2506417692.000000000321E000.00000004.00000020.00020000.00000000.sdmp, BitCometService.exe, 00000008.00000000.2507909936.0000000000596000.00000002.00000001.01000000.00000011.sdmp, BitCometService.exe, 00000008.00000002.2510943819.0000000000596000.00000002.00000001.01000000.00000011.sdmp, BitComet.exe, 0000000F.00000000.2641241995.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmp, BitComet.exe, 0000000F.00000002.2658160940.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmpString found in binary or memory: http://html4/loose.dtd
                                Source: BitComet.exe, 0000000F.00000000.2641241995.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmp, BitComet.exe, 0000000F.00000002.2658160940.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmpString found in binary or memory: http://mirror.com/pub/
                                Source: BitComet.exe, 0000000F.00000000.2641241995.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmp, BitComet.exe, 0000000F.00000002.2658160940.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmpString found in binary or memory: http://mirror.com/pub/file.exe
                                Source: BitComet.exe, 0000000F.00000000.2641241995.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmp, BitComet.exe, 0000000F.00000002.2658160940.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmpString found in binary or memory: http://mirror.com/pub/folder_name/file1.exe
                                Source: BitComet.exe, 0000000F.00000000.2641241995.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmp, BitComet.exe, 0000000F.00000002.2658160940.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmpString found in binary or memory: http://mirror.com/pub/folder_name/file2.exe
                                Source: BitComet_2.07_setup.exe, 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmp, BitComet_2.07_setup.exe, 00000006.00000000.2439172734.000000000040A000.00000008.00000001.01000000.0000000D.sdmp, BitComet_2.07_setup.exe, 00000006.00000003.2557238101.00000000035E1000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000000.2617739519.000000000040A000.00000008.00000001.01000000.0000001D.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                                Source: BitComet_2.07_setup.exe, 00000006.00000002.2559900252.0000000002996000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2627712939.0000000002736000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2628396239.0000000002736000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2624821496.0000000002737000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2626020716.0000000002731000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2631416391.0000000002739000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2629256451.0000000002736000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2626687861.0000000002733000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2629767360.0000000002730000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2623098080.0000000002730000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2623933047.000000000273D000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2625390581.0000000002739000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2622602906.000000000273A000.00000004.00000020.00020000.00000000.sdmp, Uninstall.exe, 0000001B.00000003.2758473527.0000000002736000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2595391987.0000000004F20000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3200279875.0000000005340000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2828873242.000000000555E000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2852436072.000000000555E000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2802730470.000000000555C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2982128371.0000000005A69000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2854539708.0000000005A68000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2823686677.000000000555E000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2796614872.00000000058C8000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2850354846.0000000005C3D000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2800277114.000000000557F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2841061853.000000000555E000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2627712939.0000000002736000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2628396239.0000000002736000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2624821496.0000000002737000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2626020716.0000000002731000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2631416391.0000000002739000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2629256451.0000000002736000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2626687861.0000000002733000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2629767360.0000000002730000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2623098080.0000000002730000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2595391987.0000000004F20000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3200279875.0000000005340000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2828873242.000000000555E000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2852436072.000000000555E000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2802730470.000000000555C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2808350129.0000000005B02000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2854539708.0000000005A68000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2823686677.000000000555E000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2796614872.00000000058C8000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2828353985.0000000005A2C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2850354846.0000000005C3D000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2800277114.000000000557F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2841061853.000000000555E000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000002.3006435354.0000000005B43000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2828759574.0000000005A68000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2627712939.0000000002736000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2628396239.0000000002736000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2624821496.0000000002737000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2626020716.0000000002731000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2631416391.0000000002739000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2629256451.0000000002736000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2595391987.0000000004F20000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3200279875.0000000005340000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2852436072.000000000555E000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2854539708.0000000005A68000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2796614872.00000000058C8000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2850354846.0000000005C3D000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000002.2995644763.0000000000CDE000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2800277114.000000000557F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2841061853.000000000555E000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000002.3006340243.0000000005B01000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2627712939.0000000002736000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2628396239.0000000002736000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2624821496.0000000002737000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2626020716.0000000002731000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2631416391.0000000002739000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2629256451.0000000002736000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2626687861.0000000002733000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2629767360.0000000002730000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2623098080.0000000002730000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2623933047.000000000273D000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2625390581.0000000002739000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2595391987.0000000004F20000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3200279875.0000000005340000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2841061853.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2828873242.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2823686677.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2852436072.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2796614872.00000000058C8000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2850354846.0000000005C3D000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2847271705.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2800277114.000000000557F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000002.3006435354.0000000005B43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2595391987.0000000004F20000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3200279875.0000000005340000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2841061853.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2828873242.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2823686677.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2852436072.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2830205619.0000000005B01000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2796614872.00000000058C8000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2850354846.0000000005C3D000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2847271705.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2800277114.000000000557F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
                                Source: mrybn0ui.exe, 0000000E.00000003.2627712939.0000000002736000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2628396239.0000000002736000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2624821496.0000000002737000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2626020716.0000000002731000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2631416391.0000000002739000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2629256451.0000000002736000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2626687861.0000000002733000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2629767360.0000000002730000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2623098080.0000000002730000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2623933047.000000000273D000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2625390581.0000000002739000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2622602906.000000000273A000.00000004.00000020.00020000.00000000.sdmp, Uninstall.exe, 0000001B.00000003.2758473527.0000000002736000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3191334764.00000000035C1000.00000004.00001000.00020000.00000000.sdmp, BitComet_2.07_setup.exe, 00000006.00000002.2559900252.000000000270A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://repository.certum.pl/ccsca2021.cer0
                                Source: BitComet_2.07_setup.exe, 00000006.00000002.2559900252.0000000002996000.00000004.00000020.00020000.00000000.sdmp, BitComet_2.07_setup.exe, 00000006.00000003.2506417692.000000000321E000.00000004.00000020.00020000.00000000.sdmp, BitComet_2.07_setup.exe, 00000006.00000002.2559900252.000000000270A000.00000004.00000020.00020000.00000000.sdmp, BitComet.exe, 0000000F.00000003.2645391968.00000246CEEF5000.00000004.00001000.00020000.00000000.sdmp, BitComet.exe, 00000010.00000003.2654393263.0000021223EF5000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://repository.certum.pl/cscasha2.cer0
                                Source: BitComet.exe, 0000000F.00000003.2645391968.00000246CEEF5000.00000004.00001000.00020000.00000000.sdmp, BitComet.exe, 00000010.00000003.2654393263.0000021223EF5000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://repository.certum.pl/ctnca.cer0
                                Source: BitComet_2.07_setup.exe, 00000006.00000002.2559900252.0000000002996000.00000004.00000020.00020000.00000000.sdmp, BitComet_2.07_setup.exe, 00000006.00000003.2506417692.000000000321E000.00000004.00000020.00020000.00000000.sdmp, BitComet_2.07_setup.exe, 00000006.00000002.2559900252.000000000270A000.00000004.00000020.00020000.00000000.sdmp, BitComet.exe, 0000000F.00000003.2645391968.00000246CEEF5000.00000004.00001000.00020000.00000000.sdmp, BitComet.exe, 00000010.00000003.2654393263.0000021223EF5000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://repository.certum.pl/ctnca.cer09
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3191334764.00000000035C1000.00000004.00001000.00020000.00000000.sdmp, BitComet_2.07_setup.exe, 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmp, BitComet_2.07_setup.exe, 00000006.00000002.2559900252.0000000002996000.00000004.00000020.00020000.00000000.sdmp, BitComet_2.07_setup.exe, 00000006.00000003.2506417692.000000000321E000.00000004.00000020.00020000.00000000.sdmp, BitComet_2.07_setup.exe, 00000006.00000002.2559900252.000000000270A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://repository.certum.pl/ctnca2.cer09
                                Source: BitComet_2.07_setup.exe, 00000006.00000002.2559900252.0000000002996000.00000004.00000020.00020000.00000000.sdmp, BitComet_2.07_setup.exe, 00000006.00000003.2506417692.000000000321E000.00000004.00000020.00020000.00000000.sdmp, BitComet_2.07_setup.exe, 00000006.00000002.2559900252.000000000270A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://repository.certum.pl/ctsca2021.cer0
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3191334764.00000000035C1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://repository.certum.pl/ctsca2021.cer0A
                                Source: UPNP.exeString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                                Source: UPNP.exeString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2595391987.0000000004F20000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3200279875.0000000005340000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2841061853.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2828873242.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2823686677.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2852436072.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2796614872.00000000058C8000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2850354846.0000000005C3D000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2847271705.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2800277114.000000000557F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000002.3006435354.0000000005B43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
                                Source: saBSI.exe, 0000000D.00000003.2985082385.0000000000D5A000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2984800590.0000000000D51000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000002.2996404292.0000000000D5B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crtD
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2595391987.0000000004F20000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3200279875.0000000005340000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2841061853.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2828873242.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2823686677.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2852436072.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2830205619.0000000005B01000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2796614872.00000000058C8000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2850354846.0000000005C3D000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2847271705.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2800277114.000000000557F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
                                Source: BitComet_2.07_setup.exe, 00000006.00000002.2559900252.0000000002996000.00000004.00000020.00020000.00000000.sdmp, BitComet_2.07_setup.exe, 00000006.00000003.2506417692.000000000321E000.00000004.00000020.00020000.00000000.sdmp, BitComet_2.07_setup.exe, 00000006.00000002.2559900252.000000000270A000.00000004.00000020.00020000.00000000.sdmp, BitComet.exe, 0000000F.00000003.2645391968.00000246CEEF5000.00000004.00001000.00020000.00000000.sdmp, BitComet.exe, 00000010.00000003.2654393263.0000021223EF5000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://subca.ocsp-certum.com01
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3191334764.00000000035C1000.00000004.00001000.00020000.00000000.sdmp, BitComet_2.07_setup.exe, 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmp, BitComet_2.07_setup.exe, 00000006.00000002.2559900252.0000000002996000.00000004.00000020.00020000.00000000.sdmp, BitComet_2.07_setup.exe, 00000006.00000003.2506417692.000000000321E000.00000004.00000020.00020000.00000000.sdmp, BitComet_2.07_setup.exe, 00000006.00000002.2559900252.000000000270A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://subca.ocsp-certum.com02
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3191334764.00000000035C1000.00000004.00001000.00020000.00000000.sdmp, BitComet_2.07_setup.exe, 00000006.00000002.2559900252.0000000002996000.00000004.00000020.00020000.00000000.sdmp, BitComet_2.07_setup.exe, 00000006.00000003.2506417692.000000000321E000.00000004.00000020.00020000.00000000.sdmp, BitComet_2.07_setup.exe, 00000006.00000002.2559900252.000000000270A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://subca.ocsp-certum.com05
                                Source: BitComet_2.07_setup.exe, 00000006.00000002.2559900252.0000000002996000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://submit.fileshot.net/put/
                                Source: BitComet_2.07_setup.exe, 00000006.00000002.2559900252.0000000002996000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://submit.fileshot.net/put/file_hashfile_sizefile_indexpic_indexvideo_durationvideo_resolution_x
                                Source: BitComet_2.07_setup.exe, 00000006.00000002.2559900252.0000000002996000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://submit.fileshot.net/query/
                                Source: BitComet_2.07_setup.exe, 00000006.00000002.2559900252.0000000002996000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://submit.fileshot.net/query/POST3api_versionvl_hashfile_size
                                Source: BitComet_2.07_setup.exe, 00000006.00000002.2559900252.0000000002996000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://submit.fileshot.net/torrent/
                                Source: BitComet_2.07_setup.exe, 00000006.00000002.2559900252.0000000002996000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://submit.fileshot.net/torrent/info_hashsize_index
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3191334764.00000000035C1000.00000004.00001000.00020000.00000000.sdmp, BitComet_2.07_setup.exe, 00000006.00000002.2559900252.0000000002996000.00000004.00000020.00020000.00000000.sdmp, BitComet_2.07_setup.exe, 00000006.00000003.2506417692.000000000321E000.00000004.00000020.00020000.00000000.sdmp, BitComet_2.07_setup.exe, 00000006.00000002.2559900252.000000000270A000.00000004.00000020.00020000.00000000.sdmp, BitComet.exe, 0000000F.00000003.2645391968.00000246CEEF5000.00000004.00001000.00020000.00000000.sdmp, BitComet.exe, 00000010.00000003.2654393263.0000021223EF5000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.bitcomet.com
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3195664175.0000000004E8B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3191334764.0000000003507000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3184029070.0000000000A5A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3187426790.0000000002400000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3201229701.00000000074F6000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2649945969.0000000000A55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.bitcomet.com/doc/term-of-use.php
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3183096938.00000000009AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.bitcomet.com/doc/term-of-use.phpo
                                Source: BitComet_2.07_setup.exe, 00000006.00000002.2558653762.0000000000593000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.bitcomet.com/http://www.bitcomet.com/index-zh.htmHomePage
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3191334764.00000000035C1000.00000004.00001000.00020000.00000000.sdmp, BitComet_2.07_setup.exe, 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmp, BitComet_2.07_setup.exe, 00000006.00000002.2559900252.0000000002996000.00000004.00000020.00020000.00000000.sdmp, BitComet_2.07_setup.exe, 00000006.00000003.2506417692.000000000321E000.00000004.00000020.00020000.00000000.sdmp, BitComet_2.07_setup.exe, 00000006.00000002.2559900252.000000000270A000.00000004.00000020.00020000.00000000.sdmp, BitComet.exe, 0000000F.00000003.2645391968.00000246CEEF5000.00000004.00001000.00020000.00000000.sdmp, BitComet.exe, 00000010.00000003.2654393263.0000021223EF5000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.certum.pl/CPS0
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exe, 00000000.00000003.3209011733.00000000009D6000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exe, 00000000.00000003.2195697304.0000000002530000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2204765605.0000000003490000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3201229701.00000000075B6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.dk-soft.org/
                                Source: BitComet_stats.exe, 00000009.00000003.2669349488.000000000375B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.google-analytics.com/urchin.js
                                Source: saBSI.exe, 0000000D.00000003.2982230999.0000000005570000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.mcafee.com
                                Source: BitComet.exe, 0000000F.00000003.2645391968.00000246CED30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.winimage.com/zLibDll
                                Source: BitComet.exe, 0000000F.00000000.2641241995.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmp, BitComet.exe, 0000000F.00000002.2658160940.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmp, BitComet.exe, 00000010.00000000.2652080672.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmpString found in binary or memory: http://www.wxwidgets.org
                                Source: msedgewebview2.exe, 00000020.00000003.2947566246.0000239C0046C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://adservice.google.com/pagead/regclk
                                Source: msedgewebview2.exe, 00000020.00000003.2947566246.0000239C0046C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://adservice.googlesyndication.com/pagead/regclk
                                Source: BitComet_stats.exe, 00000009.00000003.2661175689.0000000003807000.00000004.00000020.00020000.00000000.sdmp, BitComet_stats.exe, 00000009.00000003.2661292177.000000000380B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ampcid.google.com/v1/publisher:getClientId
                                Source: saBSI.exe, 0000000D.00000002.2995644763.0000000000C7D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analytics.apis.mcafee.com
                                Source: saBSI.exe, 0000000D.00000002.2995644763.0000000000CDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analytics.apis.mcafee.com/
                                Source: saBSI.exe, 0000000D.00000002.2995644763.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000002.2995644763.0000000000CDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analytics.apis.mcafee.com/mosaic/2.0/product-web/am/v1/record
                                Source: saBSI.exe, 0000000D.00000003.2651888127.0000000000D09000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analytics.apis.mcafee.com/mosaic/2.0/product-web/am/v1/record==e
                                Source: saBSI.exe, 0000000D.00000002.2995644763.0000000000CDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analytics.apis.mcafee.com/mosaic/2.0/product-web/am/v1/recordtmG$
                                Source: saBSI.exe, 0000000D.00000002.2995644763.0000000000C7D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analytics.apis.mcafee.com/mosaic/2.0/product-web/am/v1/recordz
                                Source: saBSI.exe, 0000000D.00000003.2985170636.0000000000D36000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000002.2995644763.0000000000CDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analytics.apis.mcafee.com:443/mosaic/2.0/product-web/am/v1/recordtribution
                                Source: saBSI.exe, 0000000D.00000000.2596253742.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmp, saBSI.exe, 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpString found in binary or memory: https://analytics.apis.mcafee.comhttps://analytics.qa.apis.mcafee.com/mosaic/2.0/product-web/am/v1/r
                                Source: saBSI.exe, 0000000D.00000002.2995644763.0000000000C7D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analytics.qa.apis.mcafee.com
                                Source: msedgewebview2.exe, 0000001F.00000003.2752840000.0000663000160000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/7246
                                Source: msedgewebview2.exe, 0000001F.00000003.2752840000.0000663000160000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/7319
                                Source: msedgewebview2.exe, 00000023.00000002.2858335248.00000092C1FEF000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://apphit.com/?random=1&style=iframe
                                Source: msedgewebview2.exe, 00000023.00000002.2858335248.00000092C1FEF000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://apphit.com/?random=1&style=iframe?
                                Source: BitComet_stats.exe, 00000009.00000003.2712061165.00000000037F7000.00000004.00000020.00020000.00000000.sdmp, BitComet_stats.exe, 00000009.00000003.2553032136.0000000003629000.00000004.00000020.00020000.00000000.sdmp, BitComet_stats.exe, 00000009.00000003.2569900816.00000000083B1000.00000004.00000020.00020000.00000000.sdmp, BitComet_stats.exe, 00000009.00000003.2661040031.00000000037BE000.00000004.00000020.00020000.00000000.sdmp, msedgewebview2.exe, 00000020.00000003.2947566246.0000239C0046C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cct.google/taggy/agent.js
                                Source: BitComet_stats.exe, 00000009.00000003.2576893400.0000000007D5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cct.google/taggy/agent.jsinternal.removeDataLayerEventListenerinternal.addDataLayerEventList
                                Source: BitComet.exe, 0000000F.00000000.2641241995.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmp, BitComet.exe, 0000000F.00000002.2658160940.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmpString found in binary or memory: https://cdn.pawns.app/download/sdk/latest/windows/pawns-sdk.dll
                                Source: BitComet.exe, 0000000F.00000000.2641241995.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmp, BitComet.exe, 0000000F.00000002.2658160940.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmpString found in binary or memory: https://cdn.pawns.app/download/sdk/latest/windows/pawns-sdk.dllPawnsSDK
                                Source: BitComet.exe, 0000000F.00000000.2641241995.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmp, BitComet.exe, 0000000F.00000002.2658160940.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crxHKEY_LOCAL_MACHINE
                                Source: BitComet_2.07_setup.exe, 00000006.00000002.2558653762.0000000000593000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crxSoftware
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exe, 00000000.00000003.3209011733.0000000000A3D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exe, 00000000.00000003.2195697304.0000000002530000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2204765605.0000000003490000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3191334764.0000000003507000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3187426790.0000000002400000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3193219983.00000000035E5000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://control.kochava.com/v1/cpi/click?campaign_id=kohotspot-shield-2oo5a3058127822662&network_id=
                                Source: saBSI.exe, 0000000D.00000002.2995644763.0000000000C7D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cu1pehnswad01.servicebus.windows.net/wadp32h02/messages?timeout=60&api-version=2014-01
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2277673222.00000000009D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d19smx8nanztd4.cloudfront.net/
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2288211314.0000000000A26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d19smx8nanztd4.cloudfront.net/1Yi
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exe, 00000000.00000003.3209011733.0000000000A3D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exe, 00000000.00000003.2195697304.0000000002530000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2204765605.0000000003490000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3191334764.0000000003507000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3187426790.0000000002400000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3193219983.00000000035E5000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://d19smx8nanztd4.cloudfront.net/f/
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exe, 00000000.00000003.3209011733.0000000000A3D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exe, 00000000.00000003.2195697304.0000000002530000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2204765605.0000000003490000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3187426790.00000000024B4000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3191334764.0000000003507000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3187426790.0000000002400000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2649945969.0000000000A42000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3201229701.00000000074F6000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2288211314.0000000000A42000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d19smx8nanztd4.cloudfront.net/f/BitComet/1469/BitComet_2.07_setup.exe
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2288211314.0000000000A42000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d19smx8nanztd4.cloudfront.net/f/RAV_Triple_NCB/images/DOTPS-855/EN.png
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2288211314.0000000000A42000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d19smx8nanztd4.cloudfront.net/f/RAV_Triple_NCB/images/DOTPS-855/EN.pngHITE
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3184029070.0000000000A5A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2649945969.0000000000A55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d19smx8nanztd4.cloudfront.net/f/RAV_Triple_NCB/images/DOTPS-855/EN.pngx
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3187426790.0000000002482000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2649945969.0000000000A42000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3195664175.0000000004EE3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d19smx8nanztd4.cloudfront.net/f/WebAdvisor/files/1489/saBSI.zip
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3195664175.0000000004EE3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d19smx8nanztd4.cloudfront.net/f/WebAdvisor/files/1489/saBSI.zip/
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3195664175.0000000004EE3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d19smx8nanztd4.cloudfront.net/f/WebAdvisor/files/1489/saBSI.zipN
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3187426790.0000000002489000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://d19smx8nanztd4.cloudfront.net/f/WebAdvisor/files/1489/saBSI.zipQ
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3195664175.0000000004EE3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d19smx8nanztd4.cloudfront.net/f/WebAdvisor/images/943/EN.png
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3195664175.0000000004EE3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d19smx8nanztd4.cloudfront.net/f/WebAdvisor/images/943/EN.png&
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3195664175.0000000004EE3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d19smx8nanztd4.cloudfront.net/f/WebAdvisor/images/943/EN.png5
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3195664175.0000000004EE3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d19smx8nanztd4.cloudfront.net/f/WebAdvisor/images/943/EN.pngU
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3184029070.00000000009B9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2649945969.00000000009B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d19smx8nanztd4.cloudfront.net/f/WebAdvisor/images/943/EN.pngg
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exe, 00000000.00000003.3209011733.0000000000A3D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exe, 00000000.00000003.2195697304.0000000002530000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2204765605.0000000003490000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3191334764.0000000003507000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3201229701.00000000074A2000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3187426790.0000000002400000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://d19smx8nanztd4.cloudfront.net/o
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exe, 00000000.00000003.3209011733.0000000000A3D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exe, 00000000.00000003.2195697304.0000000002530000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3198738373.0000000004F67000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2204765605.0000000003490000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3191334764.0000000003507000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3187426790.000000000252A000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2649646246.0000000004F62000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3187426790.0000000002400000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3201229701.0000000007497000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://d19smx8nanztd4.cloudfront.net/zbd
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2288211314.00000000009FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d19smx8nanztd4.cloudfront.net:443/f/RAV_Triple_NCB/images/DOTPS-855/EN.png
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2649945969.00000000009FD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3184029070.0000000000A05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d19smx8nanztd4.cloudfront.net:443/zbd9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF
                                Source: svchost.exe, 0000000B.00000003.2546811160.00000240604CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
                                Source: svchost.exe, 0000000B.00000003.2546811160.0000024060470000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
                                Source: mrybn0ui.exe, 0000000E.00000003.2623933047.000000000273D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/dahall/taskscheduler
                                Source: mrybn0ui.exe, 0000000E.00000003.2625390581.0000000002739000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf
                                Source: mrybn0ui.exe, 0000000E.00000003.2625390581.0000000002739000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf8
                                Source: msedgewebview2.exe, 00000025.00000003.2784746957.00004F78006AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/w3c/csswg-drafts/issues/6939#issuecomment-1016679588
                                Source: msedgewebview2.exe, 00000025.00000003.2784746957.00004F78006AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://html.spec.whatwg.org/C/#the-details-and-summary-elements
                                Source: msedgewebview2.exe, 00000025.00000003.2784746957.00004F78006AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://html.spec.whatwg.org/multipage/rendering.html#flow-content-3
                                Source: msedgewebview2.exe, 00000025.00000003.2784746957.00004F78006AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://html.spec.whatwg.org/multipage/rendering.html#hidden-elements
                                Source: msedgewebview2.exe, 0000001F.00000003.2752840000.0000663000160000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/220069903
                                Source: msedgewebview2.exe, 0000001F.00000003.2752840000.0000663000160000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/255411748
                                Source: msedgewebview2.exe, 0000001F.00000003.2752840000.0000663000160000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/issues/166475273
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exe, 00000000.00000000.2195139895.0000000000401000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
                                Source: BitComet_stats.exe, 00000009.00000003.2669664024.0000000000846000.00000004.00000020.00020000.00000000.sdmp, BitComet_stats.exe, 00000009.00000002.2714920068.0000000000847000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
                                Source: BitComet_stats.exe, 00000009.00000003.2712172916.00000000007DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                                Source: BitComet_stats.exe, 00000009.00000002.2715138179.00000000008A3000.00000004.00000020.00020000.00000000.sdmp, BitComet_stats.exe, 00000009.00000003.2669197742.0000000003773000.00000004.00000020.00020000.00000000.sdmp, BitComet_stats.exe, 00000009.00000002.2719130596.0000000003773000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf
                                Source: BitComet_stats.exe, 00000009.00000002.2714984634.0000000000853000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2
                                Source: BitComet_stats.exe, 00000009.00000002.2714984634.0000000000853000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2ifieQQ
                                Source: BitComet_stats.exe, 00000009.00000002.2718551466.0000000003750000.00000004.00000020.00020000.00000000.sdmp, BitComet_stats.exe, 00000009.00000002.2719625027.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, BitComet_stats.exe, 00000009.00000003.2669297682.00000000037AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                                Source: BitComet_stats.exe, 00000009.00000002.2719625027.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, BitComet_stats.exe, 00000009.00000003.2669297682.00000000037AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033r
                                Source: BitComet_stats.exe, 00000009.00000002.2715138179.00000000008A3000.00000004.00000020.00020000.00000000.sdmp, BitComet_stats.exe, 00000009.00000002.2718551466.0000000003750000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                                Source: mrybn0ui.exe, 0000000E.00000003.2629256451.0000000002736000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://logziop.reasonsecurity.com
                                Source: msedgewebview2.exe, 00000020.00000003.2947566246.0000239C0046C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pagead2.googlesyndication.com
                                Source: BitComet_stats.exe, 00000009.00000003.2569984366.000000000368C000.00000004.00000020.00020000.00000000.sdmp, BitComet_stats.exe, 00000009.00000003.2553216507.000000000361D000.00000004.00000020.00020000.00000000.sdmp, BitComet_stats.exe, 00000009.00000003.2661040031.00000000037BE000.00000004.00000020.00020000.00000000.sdmp, msedgewebview2.exe, 00000020.00000003.2947566246.0000239C0046C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pagead2.googlesyndication.com/pagead/gen_204?id=tcfe
                                Source: BitComet_stats.exe, 00000009.00000003.2569984366.000000000368C000.00000004.00000020.00020000.00000000.sdmp, BitComet_stats.exe, 00000009.00000003.2553240278.0000000003618000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pagead2.googlesyndication.comFj.https://pagead2.googlesyndication.com
                                Source: BitComet_2.07_setup.exe, 00000006.00000002.2559900252.000000000270A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://picsum.photos/364/202?image=883
                                Source: mrybn0ui.exe, 0000000E.00000003.2622602906.000000000273A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reasonlabs.com/platform/packages/essential?utm_source=rav_uninstall&utm_medium=home_website_
                                Source: mrybn0ui.exe, 0000000E.00000003.2622602906.000000000273A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reasonlabs.com/platform/products/rav/privacy-policy?utm_source=rav_antivirus_installer
                                Source: mrybn0ui.exe, 0000000E.00000003.2622602906.000000000273A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reasonlabs.com/platform/products/rav/terms?utm_source=rav_antivirus_installer
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2277525037.0000000000A23000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reasonlabs.com/policies
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2288211314.0000000000A26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reasonlabs.com/policies1-0HY
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2649945969.0000000000A42000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reasonlabs.com/policies793432213512fbf28020e929d9e0742410ab99d5d2
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2649945969.0000000000A42000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reasonlabs.com/policies793432213512fbf28020e929d9e0742410ab99d5d2b
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2288211314.0000000000A3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reasonlabs.com/policiesEN.pngbActivator.exe
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3184029070.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2649945969.0000000000A42000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reasonlabs.com/policiesen-us/policy/legal.htmlmages/DOTPS-855/EN.png7
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3195664175.0000000004EE3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reasonlabs.com/policiesiveEvent512fbf28020e929d9e0742410ab99d5d2
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2649945969.0000000000A55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reasonlabs.com/policiesm/rsSt
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2650730925.0000000004F63000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2671427112.0000000004F62000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3198645280.0000000004F63000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2649646246.0000000004F62000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reasonlabs.com/policiesm/rsSt%
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2288211314.0000000000A3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reasonlabs.com/policiesm/rsStubActivator.exe
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2288211314.0000000000A42000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reasonlabs.com/policiest.net/f/BitComet/1469/BitComet_2.07_setup.exe
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2288211314.0000000000A42000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reasonlabs.com/policiest.net/f/RAV_Triple_NCB/images/DOTPS-855/EN.png7
                                Source: saBSI.exe, 0000000D.00000003.2657948152.0000000000D09000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.m$U
                                Source: saBSI.exe, 0000000D.00000003.2663279311.0000000000D37000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2657948152.0000000000CE9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/
                                Source: saBSI.exe, 0000000D.00000003.2663279311.0000000000D37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/$r
                                Source: saBSI.exe, 0000000D.00000003.2985082385.0000000000D5A000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2984800590.0000000000D51000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/f
                                Source: saBSI.exe, 0000000D.00000003.2985082385.0000000000D5A000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2984800590.0000000000D51000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/produc&
                                Source: saBSI.exeString found in binary or memory: https://sadownload.mcafee.com/products/SA/
                                Source: saBSI.exe, 0000000D.00000003.2663279311.0000000000D37000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2657893036.0000000000D41000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2984800590.0000000000D3E000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2657919267.0000000000D37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/Win/binary/3.7.2/update_bsi_product.xml
                                Source: saBSI.exe, 0000000D.00000003.2663279311.0000000000D51000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000002.2996404292.0000000000D56000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2984800590.0000000000D51000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/Win/binary/3.7.2/update_bsi_product.xml/
                                Source: saBSI.exe, 0000000D.00000003.2663279311.0000000000D37000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2984800590.0000000000D3E000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2657919267.0000000000D37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/Win/binary/4.1.0/update_bsi_self.xml
                                Source: saBSI.exe, 0000000D.00000003.2663279311.0000000000D51000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2984800590.0000000000D51000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/Win/binary/4.1.0/update_bsi_self.xml/
                                Source: saBSI.exe, 0000000D.00000003.2657893036.0000000000D41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_
                                Source: saBSI.exe, 0000000D.00000003.2663279311.0000000000D51000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000002.3001550303.0000000005635000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000002.2995644763.0000000000CDE000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2663397434.0000000000D58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_DistributionRules.xml
                                Source: saBSI.exe, 0000000D.00000003.2663365689.0000000005552000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2663213951.0000000005552000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_DistributionRules.xml/
                                Source: saBSI.exe, 0000000D.00000003.2663279311.0000000000D51000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2663397434.0000000000D58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_DistributionRulesISB.xml
                                Source: saBSI.exe, 0000000D.00000003.2663365689.0000000005552000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2663213951.0000000005552000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_DistributionRulesISB.xml/
                                Source: saBSI.exe, 0000000D.00000003.2663279311.0000000000D37000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2657893036.0000000000D41000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000002.2995644763.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2984800590.0000000000D3E000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2657919267.0000000000D37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_PaidDistribution.xml
                                Source: saBSI.exe, 0000000D.00000003.2663279311.0000000000D51000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2984800590.0000000000D51000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_PaidDistribution.xml/
                                Source: saBSI.exe, 0000000D.00000002.2995644763.0000000000CDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_PaidDistribution.xmlXlc%
                                Source: saBSI.exe, 0000000D.00000003.2663279311.0000000000D37000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2657893036.0000000000D41000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2984800590.0000000000D3E000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2657919267.0000000000D37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_PartnerDistribution.xml
                                Source: saBSI.exe, 0000000D.00000003.2663279311.0000000000D51000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2984800590.0000000000D51000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_PartnerDistribution.xml/
                                Source: saBSI.exe, 0000000D.00000003.2984036734.0000000005550000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000002.3000926030.0000000005559000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2663279311.0000000000D37000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2984800590.0000000000D3E000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2693002624.000000000555C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2984625000.0000000005555000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2657919267.0000000000D37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_abtest.xml
                                Source: saBSI.exe, 0000000D.00000003.2841061853.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2828873242.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2823686677.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2852436072.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2708933152.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2801306182.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2802730470.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2663279311.0000000000D51000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2738684918.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2983403300.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2693002624.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2984800590.0000000000D51000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2847271705.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2813260813.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2982230999.0000000005570000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_abtest.xml/
                                Source: saBSI.exe, 0000000D.00000003.2657948152.0000000000CE9000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000002.2995644763.0000000000CDE000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000000.2596253742.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmp, saBSI.exe, 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_main.xml
                                Source: saBSI.exe, 0000000D.00000003.2657948152.0000000000D09000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_main.xml5j)%
                                Source: saBSI.exe, 0000000D.00000003.2657948152.0000000000CB5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_main.xmlPac
                                Source: saBSI.exe, 0000000D.00000003.2663279311.0000000000D37000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2984800590.0000000000D3E000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2657919267.0000000000D37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_vars.xml
                                Source: saBSI.exe, 0000000D.00000003.2663279311.0000000000D51000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2984800590.0000000000D51000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_vars.xml/
                                Source: saBSI.exe, 0000000D.00000000.2596253742.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmp, saBSI.exe, 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/SA/UPDATER_VERSIONaffidosplatSELF_UPDATE_ALLOWEDMAIN_XMLSTORE
                                Source: saBSI.exeString found in binary or memory: https://sadownload.mcafee.com/products/SA/Win/xpi/webadvisor/update.json
                                Source: saBSI.exe, 0000000D.00000002.2995644763.0000000000C7D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/SA/Win/xpi/webadvisor/update.json?F
                                Source: saBSI.exe, 0000000D.00000002.2995644763.0000000000C7D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/SA/Win/xpi/webadvisor/update.jsonath;C:
                                Source: saBSI.exe, 0000000D.00000002.2995644763.0000000000C7D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/SA/Win/xpi/webadvisor/update.jsonppData
                                Source: saBSI.exe, 0000000D.00000003.2984036734.0000000005550000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000002.3000926030.0000000005550000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/SA/v1/bsi
                                Source: saBSI.exe, 0000000D.00000003.2841061853.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2828873242.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2823686677.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2852436072.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2708933152.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2801306182.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2802730470.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2738684918.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2983403300.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2693002624.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2847271705.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2813260813.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2982230999.0000000005570000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/SA/v1/bsi/
                                Source: saBSI.exe, 0000000D.00000003.2663279311.0000000000D37000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2657893036.0000000000D41000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000002.2995644763.0000000000CDE000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2984800590.0000000000D3E000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2657919267.0000000000D37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/SA/v1/bsi/4.1.1/install.xml
                                Source: saBSI.exe, 0000000D.00000003.2663279311.0000000000D51000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000002.2996404292.0000000000D56000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2984800590.0000000000D51000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/SA/v1/bsi/4.1.1/install.xml/
                                Source: saBSI.exe, 0000000D.00000002.2995644763.0000000000CDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/SA/v1/bsi/binaryR
                                Source: saBSI.exe, 0000000D.00000003.2841061853.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2828873242.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2823686677.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2852436072.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2801306182.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2802730470.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2983403300.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000002.3001295580.000000000557A000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2847271705.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2813260813.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2982230999.0000000005570000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/SA/v1/installer/4.1.1/883/
                                Source: saBSI.exe, 0000000D.00000003.2802730470.000000000555F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2801306182.000000000555C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/SA/v1/installer/4.1.1/883/64/installer.exe
                                Source: saBSI.exe, 0000000D.00000002.2995644763.0000000000CDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/SA/v1/installer/4.1.1/883/64/installer.exe5
                                Source: saBSI.exe, 0000000D.00000002.2995644763.0000000000CDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/SA/v1/update/post_install.xml
                                Source: saBSI.exe, 0000000D.00000002.2995644763.0000000000C7D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/sa
                                Source: saBSI.exe, 0000000D.00000003.2984036734.0000000005550000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/sa/bsi/win/binary
                                Source: saBSI.exe, 0000000D.00000003.2841061853.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2828873242.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2823686677.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2852436072.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2708933152.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2801306182.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2802730470.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2738684918.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2983403300.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2693002624.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2847271705.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2813260813.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2982230999.0000000005570000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/sa/bsi/win/binary/
                                Source: saBSI.exe, 0000000D.00000003.2708614176.00000000055AA000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2738257706.00000000055AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/sa/v1/pc/partner_custom_vars.xml
                                Source: saBSI.exe, 0000000D.00000000.2596253742.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmp, saBSI.exe, 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/saUPDATER_URLupdater.exeWebAdvisor_Updaterheron_hostthreat.ap
                                Source: saBSI.exe, 0000000D.00000002.2995644763.0000000000C7D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/saemRoot
                                Source: saBSI.exe, 0000000D.00000002.2995644763.0000000000C7D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sadownload.mcafee.com/products/sar
                                Source: mrybn0ui.exe, 0000000E.00000003.2627712939.0000000002736000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2628396239.0000000002736000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2624821496.0000000002737000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2626020716.0000000002731000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2631416391.0000000002739000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2629256451.0000000002736000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2626687861.0000000002733000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2629767360.0000000002730000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2623098080.0000000002730000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2623933047.000000000273D000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2625390581.0000000002739000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2622602906.000000000273A000.00000004.00000020.00020000.00000000.sdmp, Uninstall.exe, 0000001B.00000003.2758473527.0000000002736000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                                Source: prod0.exe, 0000000C.00000000.2574778574.000002A71BA42000.00000002.00000001.01000000.0000001A.sdmpString found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-DNS-setup.exe
                                Source: prod0.exe, 0000000C.00000000.2574778574.000002A71BA42000.00000002.00000001.01000000.0000001A.sdmpString found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-EPP-setup.exe
                                Source: prod0.exe, 0000000C.00000000.2574778574.000002A71BA42000.00000002.00000001.01000000.0000001A.sdmpString found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-VPN-setup.exe
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2288211314.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2649945969.0000000000A42000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3195664175.0000000004EC2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2288211314.0000000000A42000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2277525037.0000000000A23000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shield.reasonsecurity.com/rsStubActivator.exe
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2288211314.0000000000A3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shield.reasonsecurity.com/rsStubActivator.exe3y
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3195664175.0000000004EC2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shield.reasonsecurity.com/rsStubActivator.exeN
                                Source: BitComet_stats.exe, 00000009.00000003.2569900816.00000000083B1000.00000004.00000020.00020000.00000000.sdmp, msedgewebview2.exe, 00000020.00000003.2947566246.0000239C0046C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stats.g.doubleclick.net/g/collect
                                Source: BitComet_stats.exe, 00000009.00000003.2569900816.00000000083B1000.00000004.00000020.00020000.00000000.sdmp, msedgewebview2.exe, 00000020.00000003.2947566246.0000239C0046C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stats.g.doubleclick.net/g/collect?v=2&
                                Source: BitComet_stats.exe, 00000009.00000003.2661292177.000000000380B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://stats.g.doubleclick.net/j/collect
                                Source: mrybn0ui.exe, 0000000E.00000003.2624821496.0000000002737000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://system.data.sqlite.org/
                                Source: mrybn0ui.exe, 0000000E.00000003.2624821496.0000000002737000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://system.data.sqlite.org/X
                                Source: BitComet_stats.exe, 00000009.00000003.2661175689.0000000003807000.00000004.00000020.00020000.00000000.sdmp, BitComet_stats.exe, 00000009.00000003.2661292177.000000000380B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tagassistant.google.com/
                                Source: BitComet_stats.exe, 00000009.00000003.2661040031.00000000037BE000.00000004.00000020.00020000.00000000.sdmp, msedgewebview2.exe, 00000020.00000003.2947566246.0000239C0046C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://td.doubleclick.net
                                Source: mrybn0ui.exe, 0000000E.00000003.2622602906.000000000273A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://track.analytics-data.io
                                Source: msedgewebview2.exe, 0000001D.00000003.2808946619.0000028454FAA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://unitedstates1.ss.wd.microsoft.us/
                                Source: msedgewebview2.exe, 0000001D.00000003.2808946619.0000028454FAA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://unitedstates2.ss.wd.microsoft.us/
                                Source: msedgewebview2.exe, 0000001D.00000003.2808946619.0000028454FAA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://unitedstates4.ss.wd.microsoft.us/
                                Source: mrybn0ui.exe, 0000000E.00000003.2622602906.000000000273A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://update-beta.reasonsecurity.com/v2/live
                                Source: mrybn0ui.exe, 0000000E.00000003.2622602906.000000000273A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://update-beta.reasonsecurity.com/v2/update
                                Source: rsSyncSvc.exe, 00000015.00000002.2676550953.0000023809B6C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://update.reasonseccom/v2
                                Source: rsSyncSvc.exe, 00000015.00000002.2676550953.0000023809B6C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://update.reasonsecurity.com/v2/live
                                Source: rsSyncSvc.exe, 00000015.00000002.2676550953.0000023809B6C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://update.reasonsecurity.com/v2/live-dt:10:
                                Source: mrybn0ui.exe, 0000000E.00000003.2622602906.000000000273A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://update.reasonsecurity.com/v2/update
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2288211314.0000000000A26000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2649945969.0000000000A11000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2277673222.00000000009D1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3184029070.0000000000A2C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2277525037.0000000000A23000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://webcompanion.com/privacy
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2288211314.0000000000A26000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2649945969.0000000000A11000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2277673222.00000000009D1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3184029070.0000000000A2C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2277525037.0000000000A23000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://webcompanion.com/terms
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2288211314.0000000000A55000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2277673222.00000000009D1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3191334764.00000000035C1000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2649945969.0000000000A55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.360totalsecurity.com/en/license/
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3195664175.0000000004E80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.360totalsecurity.com/en/license/v
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2288211314.0000000000A55000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2277673222.00000000009D1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3191334764.00000000035C1000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3195664175.0000000004E80000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2649945969.0000000000A55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.360totalsecurity.com/en/privacy/
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2277525037.0000000000A23000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.avast.com/eula-avast-c
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2277525037.0000000000A23000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.avast.com/eula-avast-con
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2277525037.0000000000A23000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.avast.com/eula-avast-cons
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2277525037.0000000000A23000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.avast.com/eula-avast-consumer-prod3y
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2277525037.0000000000A23000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.avast.com/eula-avast-consumer-produc
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2277525037.0000000000A23000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.avast.com/eula-avast-consumer-product
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2277525037.0000000000A23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2288211314.0000000000A5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.avast.com/eula-avast-consumer-products
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2277525037.0000000000A23000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.avast.com/eula-avast-consumer-produy
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2277525037.0000000000A23000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.avast.com/eula-avaswY
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2277525037.0000000000A23000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.avast.com/privacy-bY&
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2277525037.0000000000A23000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.avast.com/privacy-p
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2277525037.0000000000A23000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.avast.com/privacy-po
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2277525037.0000000000A23000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.avast.com/privacy-poli
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2277525037.0000000000A23000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.avast.com/privacy-policVY
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2277525037.0000000000A23000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2288211314.0000000000A5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.avast.com/privacy-policy
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2277525037.0000000000A23000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.avast.com/privacy?
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2288211314.0000000000A26000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2649945969.0000000000A11000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3184029070.0000000000A2C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2277525037.0000000000A23000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.avg.com/ww-en/eula
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2288211314.0000000000A26000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2649945969.0000000000A11000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3184029070.0000000000A2C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2277525037.0000000000A23000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.avg.com/ww-en/privacy
                                Source: BitComet_stats.exe, 00000009.00000003.2661292177.000000000380B000.00000004.00000020.00020000.00000000.sdmp, BitComet.exe, 0000000F.00000000.2641241995.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmp, BitComet.exe, 0000000F.00000002.2658160940.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmpString found in binary or memory: https://www.bitcomet.com
                                Source: BitComet_stats.exe, 00000009.00000002.2718551466.0000000003750000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.bitcomet.com/
                                Source: BitComet_stats.exe, 00000009.00000002.2714806434.000000000082B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.bitcomet.com/B
                                Source: BitComet_stats.exe, 00000009.00000003.2661175689.0000000003807000.00000004.00000020.00020000.00000000.sdmp, BitComet_stats.exe, 00000009.00000002.2720360849.000000000380D000.00000004.00000020.00020000.00000000.sdmp, BitComet_stats.exe, 00000009.00000003.2661292177.000000000380B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.bitcomet.com/V
                                Source: BitComet_2.07_setup.exe, 00000006.00000002.2558653762.0000000000593000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.bitcomet.com/client/help/?item=install_firefox_extension&v=2.07&l=
                                Source: BitComet_stats.exe, 00000009.00000002.2715053201.0000000000869000.00000004.00000020.00020000.00000000.sdmp, BitComet_stats.exe, 00000009.00000003.2669534223.0000000000868000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.bitcomet.com/client/install-stats/
                                Source: BitComet_2.07_setup.exe, 00000006.00000002.2558653762.0000000000593000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.bitcomet.com/client/install-stats/?l=
                                Source: BitComet_2.07_setup.exeString found in binary or memory: https://www.bitcomet.com/client/install-stats/?l=en_us&file=
                                Source: BitComet_2.07_setup.exeString found in binary or memory: https://www.bitcomet.com/client/install-stats/?l=en_us&file=B
                                Source: BitComet_stats.exe, 00000009.00000003.2661292177.000000000380B000.00000004.00000020.00020000.00000000.sdmp, BitComet_stats.exe, 00000009.00000003.2668699468.0000000008022000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.bitcomet.com/client/install-stats/?l=en_us&file=BitComet_2.07_setup.exe&p=x64
                                Source: BitComet_stats.exe, 00000009.00000002.2714407029.00000000007BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.bitcomet.com/client/install-stats/?l=en_us&file=BitComet_2.07_setup.exe&p=x64-
                                Source: BitComet_stats.exe, 00000009.00000002.2714806434.0000000000813000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.bitcomet.com/client/install-stats/?l=en_us&file=BitComet_2.07_setup.exe&p=x643
                                Source: BitComet_stats.exe, 00000009.00000002.2719625027.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, BitComet_stats.exe, 00000009.00000003.2669297682.00000000037AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.bitcomet.com/client/install-stats/?l=en_us&file=BitComet_2.07_setup.exe&p=x644J
                                Source: BitComet_stats.exe, 00000009.00000002.2714407029.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, BitComet_stats.exe, 00000009.00000002.2714407029.00000000007B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.bitcomet.com/client/install-stats/?l=en_us&file=BitComet_2.07_setup.exe&p=x6450
                                Source: BitComet_stats.exe, 00000009.00000002.2714806434.0000000000813000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.bitcomet.com/client/install-stats/?l=en_us&file=BitComet_2.07_setup.exe&p=x64=F
                                Source: BitComet_stats.exe, 00000009.00000003.2681261391.0000000007910000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.bitcomet.com/client/install-stats/?l=en_us&file=BitComet_2.07_setup.exe&p=x64A
                                Source: BitComet_2.07_setup.exe, 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmp, BitComet_2.07_setup.exe, 00000006.00000002.2558551610.00000000004A0000.00000004.00000020.00020000.00000000.sdmp, BitComet_stats.exe, 00000009.00000002.2714162126.00000000005B0000.00000004.00000020.00020000.00000000.sdmp, BitComet_stats.exe, 00000009.00000002.2714407029.00000000007B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.bitcomet.com/client/install-stats/?l=en_us&file=BitComet_2.07_setup.exe&p=x64C:
                                Source: BitComet_stats.exe, 00000009.00000002.2714407029.00000000007BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.bitcomet.com/client/install-stats/?l=en_us&file=BitComet_2.07_setup.exe&p=x64E
                                Source: BitComet_stats.exe, 00000009.00000002.2718551466.0000000003750000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.bitcomet.com/client/install-stats/?l=en_us&file=BitComet_2.07_setup.exe&p=x64N
                                Source: BitComet_stats.exe, 00000009.00000002.2719451049.00000000037A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.bitcomet.com/client/install-stats/?l=en_us&file=BitComet_2.07_setup.exe&p=x64comet.com;
                                Source: BitComet_stats.exe, 00000009.00000002.2715138179.00000000008A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.bitcomet.com/client/install-stats/?l=en_us&file=BitComet_2.07_setup.exe&p=x64d=GA1.2.197
                                Source: BitComet_stats.exe, 00000009.00000002.2718551466.0000000003750000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.bitcomet.com/client/install-stats/?l=en_us&file=BitComet_2.07_setup.exe&p=x64e:u
                                Source: BitComet_stats.exe, 00000009.00000003.2702507573.00000000031B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.bitcomet.com/client/install-stats/?l=en_us&file=BitComet_2.07_setup.exe&p=x64https://www
                                Source: BitComet_stats.exe, 00000009.00000002.2715053201.0000000000869000.00000004.00000020.00020000.00000000.sdmp, BitComet_stats.exe, 00000009.00000003.2669534223.0000000000868000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.bitcomet.com/client/install-stats/?l=en_us&file=BitComet_2.07_setup.exe&p=x64i
                                Source: BitComet_stats.exe, 00000009.00000002.2714407029.00000000007BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.bitcomet.com/client/install-stats/?l=en_us&file=BitComet_2.07_setup.exe&p=x64m
                                Source: BitComet_stats.exe, 00000009.00000002.2719625027.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, BitComet_stats.exe, 00000009.00000003.2669297682.00000000037AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.bitcomet.com/client/install-stats/?l=en_us&file=BitComet_2.07_setup.exe&p=x64sR
                                Source: BitComet_stats.exe, 00000009.00000002.2714407029.00000000007BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.bitcomet.com/client/install-stats/?l=en_us&file=BitComet_2.07_setup.exe&p=x64u
                                Source: BitComet_stats.exe, 00000009.00000002.2715053201.0000000000869000.00000004.00000020.00020000.00000000.sdmp, BitComet_stats.exe, 00000009.00000003.2669534223.0000000000868000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.bitcomet.com/client/install-stats/AD
                                Source: BitComet_stats.exe, 00000009.00000002.2715138179.00000000008A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.bitcomet.com/client/install-stats/l
                                Source: BitComet_2.07_setup.exe, 00000006.00000002.2558653762.0000000000593000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.bitcomet.com/client/install-without-google-cannot/?install=silence&l=
                                Source: BitComet.exe, 0000000F.00000000.2641241995.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmp, BitComet.exe, 0000000F.00000002.2658160940.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmpString found in binary or memory: https://www.bitcomet.com/client/video-download/OpenBCTPAddPictureLinkDownloadOpenBCTPListon_need_act
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3195664175.0000000004E8B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3191334764.0000000003507000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3187426790.0000000002400000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3201229701.00000000074F6000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3195664175.0000000004EE3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.bitcomet.com/doc/privacy-policy.php
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2649945969.0000000000A11000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2288211314.0000000000A13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.bitcomet.com/doc/privacy-policy.phpitComet
                                Source: BitComet.exe, 0000000F.00000002.2656352857.00000246CD009000.00000004.00000020.00020000.00000000.sdmp, BitComet.exe, 0000000F.00000003.2654275524.00000246CD006000.00000004.00000020.00020000.00000000.sdmp, BitComet.exe, 0000000F.00000003.2654238400.00000246CCFF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.bitcomet.com/en/privacy-policy
                                Source: BitComet.exe, 0000000F.00000002.2656352857.00000246CD009000.00000004.00000020.00020000.00000000.sdmp, BitComet.exe, 0000000F.00000003.2654275524.00000246CD006000.00000004.00000020.00020000.00000000.sdmp, BitComet.exe, 0000000F.00000003.2654238400.00000246CCFF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.bitcomet.com/en/privacy-policyZ
                                Source: BitComet_stats.exe, 00000009.00000002.2714806434.000000000082B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.bitcomet.com/z
                                Source: BitComet.exe, 0000000F.00000000.2641241995.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmp, BitComet.exe, 0000000F.00000002.2658160940.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmpString found in binary or memory: https://www.bitcomet.comL
                                Source: BitComet_stats.exe, 00000009.00000003.2661175689.0000000003807000.00000004.00000020.00020000.00000000.sdmp, BitComet_stats.exe, 00000009.00000003.2661292177.000000000380B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.bitcomet.comN
                                Source: BitComet_stats.exe, 00000009.00000002.2714984634.0000000000853000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.bitcomet.comk
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3191334764.00000000035C1000.00000004.00001000.00020000.00000000.sdmp, BitComet_2.07_setup.exe, 00000006.00000002.2559900252.0000000002996000.00000004.00000020.00020000.00000000.sdmp, BitComet_2.07_setup.exe, 00000006.00000003.2506417692.000000000321E000.00000004.00000020.00020000.00000000.sdmp, BitComet_2.07_setup.exe, 00000006.00000002.2559900252.000000000270A000.00000004.00000020.00020000.00000000.sdmp, BitComet.exe, 0000000F.00000003.2645391968.00000246CEEF5000.00000004.00001000.00020000.00000000.sdmp, BitComet.exe, 00000010.00000003.2654393263.0000021223EF5000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.certum.pl/CPS0
                                Source: mrybn0ui.exe, 0000000E.00000003.2622602906.000000000273A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.forbes.com/sites/forbestechcouncil/2022/07/13/why-do-hacks-happen-four-ubiquitous-motiva
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2595391987.0000000004F20000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3200279875.0000000005340000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2841061853.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2828873242.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2823686677.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2852436072.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2830205619.0000000005B01000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2796614872.00000000058C8000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2850354846.0000000005C3D000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2847271705.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2800277114.000000000557F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000002.3006435354.0000000005B43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/0
                                Source: BitComet_stats.exe, 00000009.00000002.2718551466.0000000003750000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com/
                                Source: BitComet_stats.exe, 00000009.00000002.2718551466.0000000003750000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com/LMEM
                                Source: BitComet_stats.exe, 00000009.00000003.2669534223.0000000000868000.00000004.00000020.00020000.00000000.sdmp, BitComet_stats.exe, 00000009.00000003.2661040031.00000000037BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com/analytics.js
                                Source: BitComet_stats.exe, 00000009.00000002.2719625027.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, BitComet_stats.exe, 00000009.00000003.2669297682.00000000037AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com/analytics.js-1053053-8ghts
                                Source: BitComet_stats.exe, 00000009.00000002.2715138179.00000000008A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com/analytics.js.0.0.0;
                                Source: BitComet_stats.exe, 00000009.00000002.2715053201.0000000000869000.00000004.00000020.00020000.00000000.sdmp, BitComet_stats.exe, 00000009.00000003.2669534223.0000000000868000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com/analytics.js/D
                                Source: BitComet_stats.exe, 00000009.00000002.2714890577.000000000083A000.00000004.00000020.00020000.00000000.sdmp, BitComet_stats.exe, 00000009.00000003.2669426499.0000000000839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com/analytics.js3C:
                                Source: BitComet_stats.exe, 00000009.00000002.2715053201.0000000000869000.00000004.00000020.00020000.00000000.sdmp, BitComet_stats.exe, 00000009.00000003.2669534223.0000000000868000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com/analytics.js5D3
                                Source: BitComet_stats.exe, 00000009.00000003.2712061165.00000000037FF000.00000004.00000020.00020000.00000000.sdmp, BitComet_stats.exe, 00000009.00000003.2661040031.00000000037FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com/analytics.js?l=en_us&file=BitComet_2.07_setup.exe&p=x64tcomet.com;J
                                Source: BitComet_stats.exe, 00000009.00000003.2669664024.0000000000846000.00000004.00000020.00020000.00000000.sdmp, BitComet_stats.exe, 00000009.00000002.2714920068.0000000000847000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com/analytics.jsGQWSZ2BE7X&l=dataLayer&cx=csetup.exe&p=x64
                                Source: BitComet_stats.exe, 00000009.00000003.2708677682.0000000007D86000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com/analytics.jsac
                                Source: BitComet_stats.exe, 00000009.00000003.2553032136.0000000003629000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com/analytics.jsc.onFailure
                                Source: BitComet_stats.exe, 00000009.00000003.2631189315.0000000007842000.00000004.00000800.00020000.00000000.sdmp, BitComet_stats.exe, 00000009.00000003.2661175689.0000000003807000.00000004.00000020.00020000.00000000.sdmp, BitComet_stats.exe, 00000009.00000003.2661292177.000000000380B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com/debug/bootstrap?id=
                                Source: BitComet_stats.exe, 00000009.00000003.2669349488.000000000375B000.00000004.00000020.00020000.00000000.sdmp, BitComet_stats.exe, 00000009.00000003.2661040031.00000000037BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com/g/collect?v=2&tid=G-GQWSZ2BE7X&gtm=45je44h0v9135743374za200&_p=1713
                                Source: BitComet_stats.exe, 00000009.00000002.2719307778.0000000003790000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com/gB
                                Source: BitComet_stats.exe, 00000009.00000003.2661175689.0000000003807000.00000004.00000020.00020000.00000000.sdmp, BitComet_stats.exe, 00000009.00000003.2661292177.000000000380B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com/gtm/js?id=
                                Source: BitComet_stats.exe, 00000009.00000002.2719130596.0000000003773000.00000004.00000020.00020000.00000000.sdmp, BitComet_stats.exe, 00000009.00000003.2661175689.0000000003807000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com/j/collect?v=1&_v=j101&a=548733387&t=pageview&_s=1&dl=https%3A%2F%2F
                                Source: BitComet_stats.exe, 00000009.00000002.2718551466.0000000003750000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com/neer
                                Source: BitComet_stats.exe, 00000009.00000003.2631221084.00000000078E1000.00000004.00000800.00020000.00000000.sdmp, BitComet_stats.exe, 00000009.00000003.2661175689.0000000003807000.00000004.00000020.00020000.00000000.sdmp, BitComet_stats.exe, 00000009.00000003.2661292177.000000000380B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.%/ads/ga-audiences
                                Source: msedgewebview2.exe, 00000020.00000003.2947566246.0000239C0046C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
                                Source: BitComet_stats.exe, 00000009.00000003.2631221084.00000000078E1000.00000004.00000800.00020000.00000000.sdmp, BitComet_stats.exe, 00000009.00000003.2661175689.0000000003807000.00000004.00000020.00020000.00000000.sdmp, BitComet_stats.exe, 00000009.00000003.2661292177.000000000380B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/ads/ga-audiences
                                Source: BitComet_stats.exe, 00000009.00000003.2569984366.000000000368C000.00000004.00000020.00020000.00000000.sdmp, BitComet_stats.exe, 00000009.00000003.2553240278.0000000003618000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.comFj.https://www.google.com
                                Source: BitComet_stats.exe, 00000009.00000003.2576380941.0000000007DDF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.comga_restrict_domainsession_durationaddConsentListeneruser_data_auto_metacontain
                                Source: BitComet_stats.exe, 00000009.00000003.2663584993.0000000003853000.00000004.00000800.00020000.00000000.sdmp, BitComet_stats.exe, 00000009.00000003.2661040031.00000000037BE000.00000004.00000020.00020000.00000000.sdmp, msedgewebview2.exe, 00000020.00000003.2947566246.0000239C0046C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.googleadservices.com
                                Source: BitComet_stats.exe, 00000009.00000003.2569984366.000000000368C000.00000004.00000020.00020000.00000000.sdmp, BitComet_stats.exe, 00000009.00000003.2553240278.0000000003618000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googleadservices.comFj.https://www.googleadservices.com
                                Source: BitComet_stats.exe, 00000009.00000003.2576380941.0000000007DDF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.googleadservices.cominternal.appendRemoteConfigParameter$b
                                Source: BitComet_stats.exe, 00000009.00000003.2661040031.00000000037BE000.00000004.00000020.00020000.00000000.sdmp, msedgewebview2.exe, 00000020.00000003.2947566246.0000239C0046C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
                                Source: BitComet_stats.exe, 00000009.00000002.2718551466.0000000003750000.00000004.00000020.00020000.00000000.sdmp, BitComet_stats.exe, 00000009.00000002.2715053201.0000000000869000.00000004.00000020.00020000.00000000.sdmp, BitComet_stats.exe, 00000009.00000003.2669534223.0000000000868000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/
                                Source: BitComet_stats.exe, 00000009.00000002.2715053201.0000000000869000.00000004.00000020.00020000.00000000.sdmp, BitComet_stats.exe, 00000009.00000003.2669534223.0000000000868000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/BJ
                                Source: BitComet_stats.exe, 00000009.00000002.2715053201.0000000000869000.00000004.00000020.00020000.00000000.sdmp, BitComet_stats.exe, 00000009.00000003.2669534223.0000000000868000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/HK
                                Source: BitComet_stats.exe, 00000009.00000002.2715053201.0000000000869000.00000004.00000020.00020000.00000000.sdmp, BitComet_stats.exe, 00000009.00000003.2669534223.0000000000868000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/XJ
                                Source: BitComet_stats.exe, 00000009.00000003.2661175689.0000000003807000.00000004.00000020.00020000.00000000.sdmp, BitComet_stats.exe, 00000009.00000003.2661292177.000000000380B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=
                                Source: BitComet_stats.exe, 00000009.00000003.2669534223.0000000000868000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=G-GQWSZ2BE7X&l=dataLayer&cx=c
                                Source: BitComet_stats.exe, 00000009.00000002.2719130596.0000000003773000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=G-GQWSZ2BE7X&l=dataLayer&cx=c...
                                Source: BitComet_stats.exe, 00000009.00000002.2715138179.00000000008A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=G-GQWSZ2BE7X&l=dataLayer&cx=c...=x64
                                Source: BitComet_stats.exe, 00000009.00000003.2669197742.0000000003773000.00000004.00000020.00020000.00000000.sdmp, BitComet_stats.exe, 00000009.00000002.2719130596.0000000003773000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=G-GQWSZ2BE7X&l=dataLayer&cx=c...pd5
                                Source: BitComet_stats.exe, 00000009.00000003.2669197742.0000000003773000.00000004.00000020.00020000.00000000.sdmp, BitComet_stats.exe, 00000009.00000002.2719130596.0000000003773000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=G-GQWSZ2BE7X&l=dataLayer&cx=cA
                                Source: BitComet_stats.exe, 00000009.00000003.2712208742.00000000008AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=G-GQWSZ2BE7X&l=dataLayer&cx=cC:
                                Source: BitComet_stats.exe, 00000009.00000003.2669197742.0000000003773000.00000004.00000020.00020000.00000000.sdmp, BitComet_stats.exe, 00000009.00000002.2719130596.0000000003773000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=G-GQWSZ2BE7X&l=dataLayer&cx=cLMEM
                                Source: BitComet_stats.exe, 00000009.00000003.2669197742.0000000003773000.00000004.00000020.00020000.00000000.sdmp, BitComet_stats.exe, 00000009.00000002.2719130596.0000000003773000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=G-GQWSZ2BE7X&l=dataLayer&cx=cM
                                Source: BitComet_stats.exe, 00000009.00000002.2714806434.000000000082B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=G-GQWSZ2BE7X&l=dataLayer&cx=cM7
                                Source: BitComet_stats.exe, 00000009.00000002.2714984634.0000000000853000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=G-GQWSZ2BE7X&l=dataLayer&cx=ck
                                Source: BitComet_stats.exe, 00000009.00000002.2718551466.0000000003750000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=G-GQWSZ2BE7X&l=dataLayer&cx=cp0
                                Source: BitComet_stats.exe, 00000009.00000002.2715138179.00000000008A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=G-GQWSZ2BE7X&l=dataLayer&cx=csetup.exe&p=x64login.live.c
                                Source: BitComet_stats.exe, 00000009.00000003.2669534223.0000000000868000.00000004.00000020.00020000.00000000.sdmp, BitComet_stats.exe, 00000009.00000003.2661292177.000000000380B000.00000004.00000020.00020000.00000000.sdmp, BitComet_stats.exe, 00000009.00000003.2702507573.00000000031B3000.00000004.00000800.00020000.00000000.sdmp, BitComet_stats.exe, 00000009.00000003.2669611801.000000000375E000.00000004.00000020.00020000.00000000.sdmp, BitComet_stats.exe, 00000009.00000003.2669349488.000000000375B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-1053053-8
                                Source: BitComet_stats.exe, 00000009.00000002.2715053201.0000000000869000.00000004.00000020.00020000.00000000.sdmp, BitComet_stats.exe, 00000009.00000003.2669534223.0000000000868000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-1053053-8Z
                                Source: BitComet_stats.exe, 00000009.00000002.2715053201.0000000000869000.00000004.00000020.00020000.00000000.sdmp, BitComet_stats.exe, 00000009.00000003.2669534223.0000000000868000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-1053053-8ky
                                Source: BitComet_stats.exe, 00000009.00000002.2715053201.0000000000869000.00000004.00000020.00020000.00000000.sdmp, BitComet_stats.exe, 00000009.00000003.2669534223.0000000000868000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-1053053-8kz
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exe, 00000000.00000003.2201306158.000000007FB40000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exe, 00000000.00000003.2199064536.0000000002670000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000000.2202841770.0000000000401000.00000020.00000001.01000000.00000004.sdmpString found in binary or memory: https://www.innosetup.com/
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3187426790.000000000249F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.mcafee.com/coA
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3187426790.000000000249C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.mcafee.com/consumer/e
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3187426790.000000000249C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.mcafee.com/consumer/en
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3201229701.000000000757B000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.mcafee.com/consumer/en-us/p
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3201229701.000000000757B000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.mcafee.com/consumer/en-us/po
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3187426790.0000000002490000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.mcafee.com/consumer/en-us/pol
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3201229701.000000000755F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.mcafee.com/consumer/en-us/policy/le
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3201229701.000000000755F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.mcafee.com/consumer/en-us/policy/legal
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3195664175.0000000004EE3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3187426790.00000000024A6000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3187426790.00000000024CB000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.mcafee.com/consumer/en-us/policy/legal.html
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3195664175.0000000004E90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mcafee.com/consumer/en-us/policy/legal.htmlU&x
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3195664175.0000000004E90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mcafee.com/consumer/en-us/policy/legal.htmld9e074
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3195664175.0000000004E90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mcafee.com/consumer/en-us/policy/legal.htmld9e0747&V
                                Source: saBSI.exe, 0000000D.00000002.2995644763.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000000.2596253742.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmp, saBSI.exe, 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpString found in binary or memory: https://www.mcafee.com/consumer/v/wa-how.html
                                Source: saBSI.exe, 0000000D.00000002.2995644763.0000000000C7D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mcafee.com/consumer/v/wa-how.html4%
                                Source: saBSI.exe, 0000000D.00000002.2995644763.0000000000C7D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mcafee.com/consumer/v/wa-how.html7
                                Source: saBSI.exe, 0000000D.00000002.2995644763.0000000000C7D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mcafee.com/consumer/v/wa-how.html;
                                Source: BitComet_stats.exe, 00000009.00000003.2569900816.00000000083B1000.00000004.00000020.00020000.00000000.sdmp, msedgewebview2.exe, 00000020.00000003.2947566246.0000239C0046C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.merchant-center-analytics.goog
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2277525037.0000000000A07000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.nortonlifelock.com/us/en/legal/license-services
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2277673222.00000000009D1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.nortonlifelock.com/us/en/legal/license-services-agreement/
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2277469306.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2649945969.0000000000A42000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2288211314.0000000000A42000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.nortonlifelock.com/us/en/legal/license-services-agreement/#
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2649945969.00000000009ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2277673222.00000000009D1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2277525037.00000000009EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3184029070.00000000009F3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2288211314.00000000009ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.nortonlifelock.com/us/en/privacy/
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2277469306.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2288211314.0000000000A55000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2277673222.00000000009D1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3191334764.00000000035C1000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3195664175.0000000004E80000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2649945969.0000000000A55000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2288211314.0000000000A42000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.opera.com/he/eula/computers
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2649945969.00000000009ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2277525037.00000000009EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3184029070.00000000009F3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2288211314.00000000009ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.opera.com/he/eula/computersq
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2277673222.00000000009D1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3191334764.00000000035C1000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2649945969.0000000000A55000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3184029070.0000000000A2C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2277525037.0000000000A23000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.opera.com/he/privacy
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2288211314.0000000000A26000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2649945969.0000000000A11000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3184029070.0000000000A2C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2277525037.0000000000A23000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.opera.com/he/privacyiY1
                                Source: mrybn0ui.exe, 0000000E.00000003.2622602906.000000000273A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.reasonsecurity.com/
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exe, 00000000.00000003.2201306158.000000007FB40000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exe, 00000000.00000003.2199064536.0000000002670000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000000.2202841770.0000000000401000.00000020.00000001.01000000.00000004.sdmpString found in binary or memory: https://www.remobjects.com/ps
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2277673222.00000000009D1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.winzip.com/win/en/eula.html
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2649945969.00000000009ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2277525037.00000000009EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2288211314.00000000009ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.winzip.com/win/en/eula.htmlo
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2649945969.00000000009ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2277673222.00000000009D1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2277525037.00000000009EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3184029070.00000000009F3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2288211314.00000000009ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.winzip.com/win/en/privacy.html
                                Source: msedgewebview2.exe, 00000020.00000003.2947566246.0000239C0046C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/iframe_api
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeCode function: 6_2_0040558F GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,6_2_0040558F
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\elam\rselam.catJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C5C8CC0A7FE31816B4641D0465402560Jump to dropped file

                                System Summary

                                barindex
                                Drops large PE files
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile dump: rsAppUI.exe.18.dr 166021264Jump to dropped file
                                Found suspicious ZIP file
                                Source: FirefoxExtension.xpi.6.drZip Entry: background.js
                                Source: FirefoxExtension.xpi.6.drZip Entry: js/content.js
                                Source: FirefoxExtension.xpi.6.drZip Entry: js/popup.js
                                Source: embed_bcfs.zip.6.drZip Entry: assets/index-be2a7f67.js
                                Source: embed_bcfs_full.zip.6.drZip Entry: assets/index-2f1e175b.js
                                Source: embed_bcsp.zip.6.drZip Entry: assets/index-710fe85a.js
                                Source: embed_bcxt.zip.6.drZip Entry: assets/index-8e5ef939.js
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00F46220: GetCurrentProcessId,GetCurrentThreadId,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,DeviceIoControl,DeviceIoControl,13_2_00F46220
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeCode function: 21_2_00007FF7E36F4BB0 RegCreateKeyExW,RegCloseKey,OutputDebugStringW,OpenSCManagerW,OpenServiceW,CloseServiceHandle,ControlService,DeleteService,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherW,OutputDebugStringW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,21_2_00007FF7E36F4BB0
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeCode function: 21_2_00007FF7E371E4D0 WTSGetActiveConsoleSessionId,ProcessIdToSessionId,OpenProcess,OpenProcessToken,CloseHandle,GetLastError,DuplicateTokenEx,CloseHandle,CreateProcessAsUserW,CloseHandle,WaitForSingleObject,CloseHandle,GetLastError,CloseHandle,CloseHandle,CloseHandle,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,21_2_00007FF7E371E4D0
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeCode function: 6_2_004034A5 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,6_2_004034A5
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\elam\rsElam.sys
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Windows\system32\drivers\rsCamFilter020502.sys
                                Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Windows\system32\drivers\rsCamFilter020502.sys
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Windows\system32\drivers\rsKerneluser.sys
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Windows\system32\drivers\rsElam.sys
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeCode function: 6_2_00404DCC6_2_00404DCC
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeCode function: 6_2_00406AF26_2_00406AF2
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeCode function: 9_2_0040AC109_2_0040AC10
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeCode function: 9_2_0040AED79_2_0040AED7
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeCode function: 9_2_0040B77E9_2_0040B77E
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeCode function: 9_2_0040BB8A9_2_0040BB8A
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeCode function: 9_2_0040B3AA9_2_0040B3AA
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeCode function: 9_2_0040BFAA9_2_0040BFAA
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00F48FB013_2_00F48FB0
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00F44F5013_2_00F44F50
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00F470D913_2_00F470D9
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00F4511013_2_00F45110
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00F4F11013_2_00F4F110
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00F673B013_2_00F673B0
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00F7D54013_2_00F7D540
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00F8184013_2_00F81840
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00F63AC013_2_00F63AC0
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00F7FFE013_2_00F7FFE0
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00F7819013_2_00F78190
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00FCC11013_2_00FCC110
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00F883A013_2_00F883A0
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00F7A54013_2_00F7A540
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00F9066013_2_00F90660
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00F2A61013_2_00F2A610
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00FC860913_2_00FC8609
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00F847C013_2_00F847C0
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00FD68E013_2_00FD68E0
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00F828A013_2_00F828A0
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00FD099213_2_00FD0992
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00FB091913_2_00FB0919
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00FD0AB213_2_00FD0AB2
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00FB0B4B13_2_00FB0B4B
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00F22B0013_2_00F22B00
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00FAADD013_2_00FAADD0
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00FB0DB013_2_00FB0DB0
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00F86D4313_2_00F86D43
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00F58EA013_2_00F58EA0
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00F2CF4013_2_00F2CF40
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00F7F15013_2_00F7F150
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00F6D2C013_2_00F6D2C0
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00FBB34013_2_00FBB340
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00FB933A13_2_00FB933A
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00F8B4F013_2_00F8B4F0
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00FC14AF13_2_00FC14AF
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00F2540013_2_00F25400
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00F8760213_2_00F87602
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00FCD8E013_2_00FCD8E0
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00F2F83013_2_00F2F830
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00FB39A413_2_00FB39A4
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00F83A3013_2_00F83A30
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00F5FB4013_2_00F5FB40
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00F4BCB013_2_00F4BCB0
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00F53C5013_2_00F53C50
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00F27D1013_2_00F27D10
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeCode function: 21_2_00007FF7E36F4BB021_2_00007FF7E36F4BB0
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeCode function: 21_2_00007FF7E36F71C021_2_00007FF7E36F71C0
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeCode function: 21_2_00007FF7E375B4A021_2_00007FF7E375B4A0
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeCode function: 21_2_00007FF7E371E4D021_2_00007FF7E371E4D0
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeCode function: 21_2_00007FF7E374E43021_2_00007FF7E374E430
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeCode function: 21_2_00007FF7E375A3B421_2_00007FF7E375A3B4
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeCode function: 21_2_00007FF7E3707B3021_2_00007FF7E3707B30
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeCode function: 21_2_00007FF7E375C33421_2_00007FF7E375C334
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeCode function: 21_2_00007FF7E375CB7021_2_00007FF7E375CB70
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeCode function: 21_2_00007FF7E3759B9421_2_00007FF7E3759B94
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeCode function: 21_2_00007FF7E3726AD021_2_00007FF7E3726AD0
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeCode function: 21_2_00007FF7E376631421_2_00007FF7E3766314
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeCode function: 21_2_00007FF7E36F92F021_2_00007FF7E36F92F0
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeCode function: 21_2_00007FF7E375A1B021_2_00007FF7E375A1B0
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeCode function: 21_2_00007FF7E37089D021_2_00007FF7E37089D0
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeCode function: 21_2_00007FF7E377D1EC21_2_00007FF7E377D1EC
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeCode function: 21_2_00007FF7E37711E821_2_00007FF7E37711E8
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeCode function: 21_2_00007FF7E376693421_2_00007FF7E3766934
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeCode function: 21_2_00007FF7E371414021_2_00007FF7E3714140
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeCode function: 21_2_00007FF7E372296021_2_00007FF7E3722960
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeCode function: 21_2_00007FF7E376D18C21_2_00007FF7E376D18C
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeCode function: 21_2_00007FF7E377F18821_2_00007FF7E377F188
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeCode function: 21_2_00007FF7E371C99021_2_00007FF7E371C990
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeCode function: 21_2_00007FF7E371599021_2_00007FF7E3715990
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeCode function: 21_2_00007FF7E375999021_2_00007FF7E3759990
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeCode function: 21_2_00007FF7E36FA08021_2_00007FF7E36FA080
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeCode function: 21_2_00007FF7E37640B021_2_00007FF7E37640B0
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeCode function: 21_2_00007FF7E375B10821_2_00007FF7E375B108
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeCode function: 21_2_00007FF7E375B82421_2_00007FF7E375B824
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeCode function: 21_2_00007FF7E376E02421_2_00007FF7E376E024
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeCode function: 21_2_00007FF7E377685021_2_00007FF7E3776850
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeCode function: 21_2_00007FF7E377186821_2_00007FF7E3771868
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeCode function: 21_2_00007FF7E377287021_2_00007FF7E3772870
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeCode function: 21_2_00007FF7E3759FA421_2_00007FF7E3759FA4
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeCode function: 21_2_00007FF7E376AFBC21_2_00007FF7E376AFBC
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeCode function: 21_2_00007FF7E376618021_2_00007FF7E3766180
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeCode function: 21_2_00007FF7E375C76C21_2_00007FF7E375C76C
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeCode function: 21_2_00007FF7E3769F8021_2_00007FF7E3769F80
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeCode function: 21_2_00007FF7E370366021_2_00007FF7E3703660
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeCode function: 21_2_00007FF7E377F6D421_2_00007FF7E377F6D4
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeCode function: 21_2_00007FF7E36FF6E021_2_00007FF7E36FF6E0
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeCode function: 21_2_00007FF7E3759DA021_2_00007FF7E3759DA0
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeCode function: 21_2_00007FF7E37765D421_2_00007FF7E37765D4
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeCode function: 21_2_00007FF7E36FB5E021_2_00007FF7E36FB5E0
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeCode function: 21_2_00007FF7E3770D5421_2_00007FF7E3770D54
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCode function: 25_2_00520E9025_2_00520E90
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCode function: 25_2_004CA1BF25_2_004CA1BF
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCode function: 25_2_004FC4F025_2_004FC4F0
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCode function: 25_2_004D26E825_2_004D26E8
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCode function: 25_2_004A071325_2_004A0713
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCode function: 25_2_005127D025_2_005127D0
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCode function: 25_2_004EA9B025_2_004EA9B0
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCode function: 25_2_0050CA0025_2_0050CA00
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCode function: 25_2_004B6A1E25_2_004B6A1E
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCode function: 25_2_0050CAC025_2_0050CAC0
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCode function: 25_2_004FACE025_2_004FACE0
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCode function: 25_2_004BF08025_2_004BF080
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCode function: 25_2_004B11A225_2_004B11A2
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCode function: 25_2_004C122A25_2_004C122A
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCode function: 25_2_004C145925_2_004C1459
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCode function: 25_2_004C168825_2_004C1688
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCode function: 25_2_004B372025_2_004B3720
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCode function: 25_2_004AF8F925_2_004AF8F9
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCode function: 25_2_004CBA4925_2_004CBA49
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCode function: 25_2_00493C7025_2_00493C70
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCode function: 25_2_004B3D4425_2_004B3D44
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeCode function: String function: 00007FF7E36F1DB0 appears 68 times
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeCode function: String function: 00007FF7E36F3810 appears 34 times
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeCode function: String function: 00007FF7E370E250 appears 58 times
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: String function: 00FA8713 appears 374 times
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: String function: 00FA8DFE appears 103 times
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: String function: 00FA8375 appears 45 times
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: String function: 00FC4231 appears 31 times
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: String function: 00F31BE0 appears 70 times
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: String function: 00F68650 appears 192 times
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: String function: 00FA9600 appears 60 times
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: String function: 00FA85BF appears 56 times
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: String function: 00FA8E31 appears 83 times
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCode function: String function: 004B1DFF appears 49 times
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCode function: String function: 004B2670 appears 52 times
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCode function: String function: 004963C0 appears 79 times
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCode function: String function: 004B20EA appears 88 times
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCode function: String function: 004BC266 appears 31 times
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCode function: String function: 004B20B6 appears 88 times
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCode function: String function: 004F0D80 appears 67 times
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCode function: String function: 004D7FE0 appears 107 times
                                Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4824 -ip 4824
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                                Source: BitComet.exe.6.drStatic PE information: Resource name: DLL type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Source: BitComet.exe.6.drStatic PE information: Resource name: ZIP type: Zip archive data, at least v2.0 to extract, compression method=deflate
                                Source: BitComet.exe.6.drStatic PE information: Resource name: ZIP type: Zip archive data, at least v2.0 to extract, compression method=deflate
                                Source: BitComet.exe.6.drStatic PE information: Resource name: ZIP type: Zip archive data, at least v2.0 to extract, compression method=deflate
                                Source: BitComet.exe.6.drStatic PE information: Resource name: ZIP type: Zip archive data, at least v2.0 to extract, compression method=deflate
                                Source: BitComet.exe.6.drStatic PE information: Resource name: ZIP type: Zip archive data, at least v2.0 to extract, compression method=deflate
                                Source: BitComet.exe.6.drStatic PE information: Resource name: ZIP type: Zip archive data, at least v2.0 to extract, compression method=deflate
                                Source: BitComet.exe.6.drStatic PE information: Resource name: ZIP type: Zip archive data, at least v2.0 to extract, compression method=deflate
                                Source: installer.exe.13.drStatic PE information: Resource name: PAYLOAD type: Microsoft Cabinet archive data, many, 27639028 bytes, 132 files, at 0x2c +A "analyticsmanager.cab" +A "analyticstelemetry.cab", number 1, 968 datablocks, 0x1 compression
                                Source: WebView2Loader.dll.6.drStatic PE information: Number of sections : 12 > 10
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exe, 00000000.00000003.3209011733.0000000000A98000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel32j% vs SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exe
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exe, 00000000.00000000.2195276136.00000000004C6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileName vs SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exe
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exe, 00000000.00000003.2199064536.0000000002959000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exe
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exe, 00000000.00000003.2201306158.000000007FE25000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exe
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpKey value queried: HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon versionJump to behavior
                                Source: RAVEndPointProtection-installer.exe.14.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                Source: classification engineClassification label: mal54.troj.spyw.evad.winEXE@74/754@0/100
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeCode function: 6_2_004034A5 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,6_2_004034A5
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeCode function: 6_2_00404850 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,6_2_00404850
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeCode function: OutputDebugStringW,GetModuleFileNameW,OpenSCManagerW,CreateServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,OutputDebugStringW,RegisterServiceCtrlHandlerExW,OutputDebugStringW,SetServiceStatus,OutputDebugStringW,OutputDebugStringW,CreateEventW,OutputDebugStringW,GetLastError,SetServiceStatus,OutputDebugStringW,SetServiceStatus,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,WaitForSingleObject,OutputDebugStringW,OutputDebugStringW,CloseHandle,SetServiceStatus,OutputDebugStringW,OutputDebugStringW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,OutputDebugStringW,OutputDebugStringW,SetServiceStatus,OutputDebugStringW,SetEvent,OutputDebugStringW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,21_2_00007FF7E36F71C0
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00F34C8E GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,13_2_00F34C8E
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeCode function: 6_2_00402104 CoCreateInstance,6_2_00402104
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeCode function: 9_2_00409D65 FindResourceW,FindResourceW,LoadResource,LoadResource,LockResource,FindResourceW,LoadResource,LockResource,GetWindow,GlobalAlloc,GlobalLock,GlobalUnlock,CreateStreamOnHGlobal,MapDialogRect,SetWindowContextHelpId,SetWindowPos,#6,GetWindow,#6,9_2_00409D65
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeCode function: 21_2_00007FF7E36F4BB0 RegCreateKeyExW,RegCloseKey,OutputDebugStringW,OpenSCManagerW,OpenServiceW,CloseServiceHandle,ControlService,DeleteService,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherW,OutputDebugStringW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,21_2_00007FF7E36F4BB0
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeCode function: 21_2_00007FF7E36F4BB0 RegCreateKeyExW,RegCloseKey,OutputDebugStringW,OpenSCManagerW,OpenServiceW,CloseServiceHandle,ControlService,DeleteService,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherW,OutputDebugStringW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,21_2_00007FF7E36F4BB0
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeFile created: C:\Program Files\BitCometJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpFile created: C:\Users\user\AppData\Local\ProgramsJump to behavior
                                Source: C:\Program Files\BitComet\tools\UPNP.exeMutant created: \Sessions\1\BaseNamedObjects\{UPNP-ICF-A4AFA740-F3D0-4efc-B4BA-86948F1185D5}
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpMutant created: \Sessions\1\BaseNamedObjects\Global\{a9c7042b-2ab7-4351-ba81-3794b003246a}Installer
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeMutant created: \Sessions\1\BaseNamedObjects\Global\_rsStubExecute
                                Source: C:\Program Files\BitComet\tools\UPNP.exeMutant created: NULL
                                Source: C:\Program Files\BitComet\tools\UPNP.exeMutant created: \Sessions\1\BaseNamedObjects\{UPNP-NAT-0C3AE491-163B-4752-A532-E2383776602D}
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2784:120:WilError_03
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{48ca68e-e4ff-43ac-a993-6d162f33de7c}
                                Source: C:\Program Files\BitComet\BitComet.exeMutant created: \Sessions\1\BaseNamedObjects\75DAD82D-A77F-49e5-ADD3-8F11C1940689
                                Source: C:\Program Files\BitComet\BitComet.exeMutant created: \Sessions\1\BaseNamedObjects\{SIMPLEBT-53DE14D9-A616-4ff0-BA62-9DF424D0665C}
                                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4824
                                Source: C:\Program Files\BitComet\tools\BitCometService.exeMutant created: \BaseNamedObjects\75DAD82D-A77F-49e5-ADD3-8F11C1940689
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpMutant created: \Sessions\1\BaseNamedObjects\{a9c7042b-2ab7-4351-ba81-3794b003246a}Installer
                                Source: C:\Program Files\BitComet\BitComet.exeMutant created: \Sessions\1\BaseNamedObjects\{SIMPLEBT-D19EACFB-5FD1-4615-A179-A9B9E38A6506}
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exeFile created: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmpJump to behavior
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCommand line argument: -add25_2_00520E90
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCommand line argument: /add25_2_00520E90
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCommand line argument: -delete25_2_00520E90
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCommand line argument: /delete25_2_00520E90
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCommand line argument: -addfw25_2_00520E90
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCommand line argument: /addfw25_2_00520E90
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCommand line argument: -deletefw25_2_00520E90
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCommand line argument: /deletefw25_2_00520E90
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCommand line argument: -addwfapp25_2_00520E90
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCommand line argument: /addwfapp25_2_00520E90
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCommand line argument: -app25_2_00520E90
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCommand line argument: /app25_2_00520E90
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCommand line argument: -filepath25_2_00520E90
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCommand line argument: /filepath25_2_00520E90
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCommand line argument: -lanip25_2_00520E90
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCommand line argument: /lanip25_2_00520E90
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCommand line argument: -tcpport25_2_00520E90
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCommand line argument: /tcpport25_2_00520E90
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCommand line argument: -udpport25_2_00520E90
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCommand line argument: /udpport25_2_00520E90
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCommand line argument: -tcpport125_2_00520E90
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCommand line argument: /tcpport125_2_00520E90
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCommand line argument: -udpport125_2_00520E90
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCommand line argument: /udpport125_2_00520E90
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCommand line argument: -tcpport225_2_00520E90
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCommand line argument: /tcpport225_2_00520E90
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCommand line argument: -miniupnp25_2_00520E90
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCommand line argument: /miniupnp25_2_00520E90
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCommand line argument: DS25_2_00520E90
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCommand line argument: .#v25_2_00520E90
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCommand line argument: UPNP25_2_00520E90
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE (Name=&apos;rsAppUI.exe&apos; OR Name=&apos;ReasonLabs.exe&apos;) AND CommandLine Like &apos;%EPP%&apos;
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ParentProcessId FROM Win32_Process WHERE ProcessId = 5724
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeFile read: C:\Windows\System32\drivers\etc\hosts
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeFile read: C:\Windows\System32\drivers\etc\hosts
                                Source: BitComet.exe, 0000000F.00000000.2641241995.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmp, BitComet.exe, 0000000F.00000002.2658160940.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                                Source: BitComet.exe, 0000000F.00000000.2641241995.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmp, BitComet.exe, 0000000F.00000002.2658160940.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                                Source: BitComet.exe, 0000000F.00000000.2641241995.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmp, BitComet.exe, 0000000F.00000002.2658160940.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                                Source: BitComet.exe, 0000000F.00000000.2641241995.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmp, BitComet.exe, 0000000F.00000002.2658160940.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                                Source: BitComet.exe, 0000000F.00000000.2641241995.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmp, BitComet.exe, 0000000F.00000002.2658160940.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                                Source: BitComet.exe, 0000000F.00000000.2641241995.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmp, BitComet.exe, 0000000F.00000002.2658160940.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                                Source: BitComet.exe, 0000000F.00000000.2641241995.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmp, BitComet.exe, 0000000F.00000002.2658160940.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exeReversingLabs: Detection: 44%
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exeVirustotal: Detection: 48%
                                Source: BitComet_2.07_setup.exeString found in binary or memory: "C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exe" https://www.bitcomet.com/client/install-stats/?l=en_us&file=
                                Source: BitComet_2.07_setup.exeString found in binary or memory: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exe" https://www.bitcomet.com/client/install-stats/?l=en_us&file=B
                                Source: UPNP.exeString found in binary or memory: 75DAD82D-A77F-49e5-ADD3-8F11C1940689
                                Source: UPNP.exeString found in binary or memory: /addwfapp
                                Source: UPNP.exeString found in binary or memory: -addwfapp
                                Source: UPNP.exeString found in binary or memory: -addfw
                                Source: UPNP.exeString found in binary or memory: /addfw
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exeJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_9-6190
                                Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exe"
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exeProcess created: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp "C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp" /SL5="$2041C,1631103,874496,C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exe"
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe "C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe" /S
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeProcess created: C:\Program Files\BitComet\tools\BitCometService.exe "C:\Program Files\BitComet\tools\BitCometService.exe" /reg
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeProcess created: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exe "C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exe" https://www.bitcomet.com/client/install-stats/?l=en_us&file=BitComet_2.07_setup.exe&p=x64
                                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exe "C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exe" -ip:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240423073935&is_silent=true&oc=ZB_RAV_Cross_Tri_NCB&p=1abd&a=100&b=&se=true" -vp:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240423073935&oc=ZB_RAV_Cross_Tri_NCB&p=1abd&a=100&oip=26&ptl=7&dta=true" -dp:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240423073935&oc=ZB_RAV_Cross_Tri_NCB&p=1abd&a=100" -i -v -d -se=true
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exe "C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exe" /affid 91088 PaidDistribution=true CountryCode=US
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeProcess created: C:\Users\user\AppData\Local\Temp\mrybn0ui.exe "C:\Users\user\AppData\Local\Temp\mrybn0ui.exe" /silent
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpProcess created: C:\Program Files\BitComet\BitComet.exe "C:\Program Files\BitComet\BitComet.exe" --no_elevated
                                Source: unknownProcess created: C:\Program Files\BitComet\BitComet.exe "C:\Program Files\BitComet\BitComet.exe"
                                Source: unknownProcess created: C:\Program Files\BitComet\tools\BitCometService.exe "C:\Program Files\BitComet\tools\BitCometService.exe" -service
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeProcess created: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe "C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe" "C:\Users\user\AppData\Local\Temp\mrybn0ui.exe" /silent
                                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
                                Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4824 -ip 4824
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess created: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe "C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -i -bn:ReasonLabs -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -dt:10
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 964
                                Source: unknownProcess created: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe "C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -bn:ReasonLabs -dt:10
                                Source: C:\Program Files\BitComet\BitComet.exeProcess created: C:\Program Files\BitComet\tools\UPNP.exe "C:\Program Files\BitComet\tools\UPNP.exe" -addfw -app BitComet -tcpport 7319 -udpport 7319 -q
                                Source: unknownProcess created: C:\Program Files\ReasonLabs\EPP\Uninstall.exe "C:\Program Files\ReasonLabs\EPP\Uninstall.exe" /auto-repair=RavStub
                                Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exeProcess created: C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exe "C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exe" /auto-repair=RavStub
                                Source: C:\Program Files\BitComet\BitComet.exeProcess created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=BitComet.exe --webview-exe-version=2.07 --user-data-dir="C:\Users\user\AppData\Local\BitComet\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=1 --enable-features=MojoIpcz --mojo-named-platform-channel-pipe=3708.7216.9049188055043856713
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\user\AppData\Local\BitComet\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\user\AppData\Local\BitComet\EBWebView\Crashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=117.0.5938.132 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=117.0.2045.47 --initial-client-data=0x16c,0x170,0x174,0x168,0x140,0x7ffd8ab18e88,0x7ffd8ab18e98,0x7ffd8ab18ea8
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --type=gpu-process --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\BitComet\EBWebView" --webview-exe-name=BitComet.exe --webview-exe-version=2.07 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1792 --field-trial-handle=1796,i,2359236077227598348,11370881663069320587,262144 --enable-features=MojoIpcz /prefetch:2
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\BitComet\EBWebView" --webview-exe-name=BitComet.exe --webview-exe-version=2.07 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=2248 --field-trial-handle=1796,i,2359236077227598348,11370881663069320587,262144 --enable-features=MojoIpcz /prefetch:3
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-GB --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\BitComet\EBWebView" --webview-exe-name=BitComet.exe --webview-exe-version=2.07 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=2980 --field-trial-handle=1796,i,2359236077227598348,11370881663069320587,262144 --enable-features=MojoIpcz /prefetch:8
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\BitComet\EBWebView" --webview-exe-name=BitComet.exe --webview-exe-version=2.07 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --disable-nacl --first-renderer-process --lang=en-GB --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=en_CH" --time-ticks-at-unix-epoch=-1713846190060310 --launch-time-ticks=4632151505 --mojo-platform-channel-handle=3392 --field-trial-handle=1796,i,2359236077227598348,11370881663069320587,262144 --enable-features=MojoIpcz /prefetch:1
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\BitComet\EBWebView" --webview-exe-name=BitComet.exe --webview-exe-version=2.07 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --disable-nacl --lang=en-GB --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=en_CH" --time-ticks-at-unix-epoch=-1713846190060310 --launch-time-ticks=4632449862 --mojo-platform-channel-handle=3708 --field-trial-handle=1796,i,2359236077227598348,11370881663069320587,262144 --enable-features=MojoIpcz /prefetch:1
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\BitComet\EBWebView" --webview-exe-name=BitComet.exe --webview-exe-version=2.07 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --disable-nacl --lang=en-GB --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=en_CH" --time-ticks-at-unix-epoch=-1713846190060310 --launch-time-ticks=4632595052 --mojo-platform-channel-handle=3696 --field-trial-handle=1796,i,2359236077227598348,11370881663069320587,262144 --enable-features=MojoIpcz /prefetch:1
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\BitComet\EBWebView" --webview-exe-name=BitComet.exe --webview-exe-version=2.07 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --disable-nacl --lang=en-GB --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=en_CH" --time-ticks-at-unix-epoch=-1713846190060310 --launch-time-ticks=4632840062 --mojo-platform-channel-handle=3932 --field-trial-handle=1796,i,2359236077227598348,11370881663069320587,262144 --enable-features=MojoIpcz /prefetch:1
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\BitComet\EBWebView" --webview-exe-name=BitComet.exe --webview-exe-version=2.07 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --disable-nacl --disable-gpu-compositing --lang=en-GB --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=en_CH" --time-ticks-at-unix-epoch=-1713846190060310 --launch-time-ticks=4638180191 --mojo-platform-channel-handle=4708 --field-trial-handle=1796,i,2359236077227598348,11370881663069320587,262144 --enable-features=MojoIpcz /prefetch:1
                                Source: C:\Program Files\BitComet\BitComet.exeProcess created: C:\Program Files\BitComet\tools\UPNP.exe "C:\Program Files\BitComet\tools\UPNP.exe" -add -app BitComet -lanip 192.168.2.6 -tcpport 7319 -udpport 7319 -q
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exeProcess created: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp "C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp" /SL5="$2041C,1631103,874496,C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exe" Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe "C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe" /SJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exe "C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exe" -ip:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240423073935&is_silent=true&oc=ZB_RAV_Cross_Tri_NCB&p=1abd&a=100&b=&se=true" -vp:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240423073935&oc=ZB_RAV_Cross_Tri_NCB&p=1abd&a=100&oip=26&ptl=7&dta=true" -dp:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240423073935&oc=ZB_RAV_Cross_Tri_NCB&p=1abd&a=100" -i -v -d -se=trueJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exe "C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exe" /affid 91088 PaidDistribution=true CountryCode=USJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpProcess created: C:\Program Files\BitComet\BitComet.exe "C:\Program Files\BitComet\BitComet.exe" --no_elevatedJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeProcess created: C:\Program Files\BitComet\tools\BitCometService.exe "C:\Program Files\BitComet\tools\BitCometService.exe" /regJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeProcess created: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exe "C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exe" https://www.bitcomet.com/client/install-stats/?l=en_us&file=BitComet_2.07_setup.exe&p=x64Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeProcess created: C:\Users\user\AppData\Local\Temp\mrybn0ui.exe "C:\Users\user\AppData\Local\Temp\mrybn0ui.exe" /silentJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeProcess created: unknown unknown
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeProcess created: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe "C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe" "C:\Users\user\AppData\Local\Temp\mrybn0ui.exe" /silent
                                Source: C:\Program Files\BitComet\BitComet.exeProcess created: C:\Program Files\BitComet\tools\UPNP.exe "C:\Program Files\BitComet\tools\UPNP.exe" -addfw -app BitComet -tcpport 7319 -udpport 7319 -q
                                Source: C:\Program Files\BitComet\BitComet.exeProcess created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=BitComet.exe --webview-exe-version=2.07 --user-data-dir="C:\Users\user\AppData\Local\BitComet\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=1 --enable-features=MojoIpcz --mojo-named-platform-channel-pipe=3708.7216.9049188055043856713
                                Source: C:\Program Files\BitComet\BitComet.exeProcess created: C:\Program Files\BitComet\tools\UPNP.exe "C:\Program Files\BitComet\tools\UPNP.exe" -add -app BitComet -lanip 192.168.2.6 -tcpport 7319 -udpport 7319 -q
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess created: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe "C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -i -bn:ReasonLabs -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -dt:10
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess created: unknown unknown
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess created: unknown unknown
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess created: unknown unknown
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess created: unknown unknown
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess created: unknown unknown
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4824 -ip 4824
                                Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 964
                                Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess created: unknown unknown
                                Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exeProcess created: C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exe "C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exe" /auto-repair=RavStub
                                Source: C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\user\AppData\Local\BitComet\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\user\AppData\Local\BitComet\EBWebView\Crashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=117.0.5938.132 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=117.0.2045.47 --initial-client-data=0x16c,0x170,0x174,0x168,0x140,0x7ffd8ab18e88,0x7ffd8ab18e98,0x7ffd8ab18ea8
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --type=gpu-process --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\BitComet\EBWebView" --webview-exe-name=BitComet.exe --webview-exe-version=2.07 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1792 --field-trial-handle=1796,i,2359236077227598348,11370881663069320587,262144 --enable-features=MojoIpcz /prefetch:2
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\BitComet\EBWebView" --webview-exe-name=BitComet.exe --webview-exe-version=2.07 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=2248 --field-trial-handle=1796,i,2359236077227598348,11370881663069320587,262144 --enable-features=MojoIpcz /prefetch:3
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-GB --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\BitComet\EBWebView" --webview-exe-name=BitComet.exe --webview-exe-version=2.07 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=2980 --field-trial-handle=1796,i,2359236077227598348,11370881663069320587,262144 --enable-features=MojoIpcz /prefetch:8
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\BitComet\EBWebView" --webview-exe-name=BitComet.exe --webview-exe-version=2.07 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --disable-nacl --first-renderer-process --lang=en-GB --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=en_CH" --time-ticks-at-unix-epoch=-1713846190060310 --launch-time-ticks=4632151505 --mojo-platform-channel-handle=3392 --field-trial-handle=1796,i,2359236077227598348,11370881663069320587,262144 --enable-features=MojoIpcz /prefetch:1
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\BitComet\EBWebView" --webview-exe-name=BitComet.exe --webview-exe-version=2.07 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --disable-nacl --lang=en-GB --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=en_CH" --time-ticks-at-unix-epoch=-1713846190060310 --launch-time-ticks=4632449862 --mojo-platform-channel-handle=3708 --field-trial-handle=1796,i,2359236077227598348,11370881663069320587,262144 --enable-features=MojoIpcz /prefetch:1
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\BitComet\EBWebView" --webview-exe-name=BitComet.exe --webview-exe-version=2.07 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --disable-nacl --lang=en-GB --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=en_CH" --time-ticks-at-unix-epoch=-1713846190060310 --launch-time-ticks=4632595052 --mojo-platform-channel-handle=3696 --field-trial-handle=1796,i,2359236077227598348,11370881663069320587,262144 --enable-features=MojoIpcz /prefetch:1
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\BitComet\EBWebView" --webview-exe-name=BitComet.exe --webview-exe-version=2.07 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --disable-nacl --lang=en-GB --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=en_CH" --time-ticks-at-unix-epoch=-1713846190060310 --launch-time-ticks=4632840062 --mojo-platform-channel-handle=3932 --field-trial-handle=1796,i,2359236077227598348,11370881663069320587,262144 --enable-features=MojoIpcz /prefetch:1
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\BitComet\EBWebView" --webview-exe-name=BitComet.exe --webview-exe-version=2.07 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --disable-nacl --disable-gpu-compositing --lang=en-GB --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=en_CH" --time-ticks-at-unix-epoch=-1713846190060310 --launch-time-ticks=4638180191 --mojo-platform-channel-handle=4708 --field-trial-handle=1796,i,2359236077227598348,11370881663069320587,262144 --enable-features=MojoIpcz /prefetch:1
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess created: unknown unknown
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exeSection loaded: version.dllJump to behavior
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exeSection loaded: netapi32.dllJump to behavior
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: mpr.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: version.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: netapi32.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: winhttp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: netutils.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: wtsapi32.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: winsta.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: textinputframework.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: coreuicomponents.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: coremessaging.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: ntmarta.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: coremessaging.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: wintypes.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: wintypes.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: wintypes.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: textshaping.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: dwmapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: wldp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: profapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: shfolder.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: rstrtmgr.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: ncrypt.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: ntasn1.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: msimg32.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: oleacc.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: winmm.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: winhttpcom.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: ondemandconnroutehelper.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: webio.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: mswsock.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: iphlpapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: winnsi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: sspicli.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: dnsapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: rasadhlp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: fwpuclnt.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: schannel.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: mskeyprotect.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: ncryptsslp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: msasn1.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: cryptsp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: rsaenh.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: gpapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: dpapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: ondemandconnroutehelper.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: msftedit.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: windows.globalization.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: bcp47langs.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: bcp47mrm.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: globinputhost.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: ondemandconnroutehelper.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: dhcpcsvc6.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: dhcpcsvc.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: windowscodecs.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: dataexchange.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: d3d11.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: dcomp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: dxgi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: twinapi.appcore.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: explorerframe.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: apphelp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: propsys.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: edputil.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: urlmon.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: iertutil.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: srvcli.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: appresolver.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: slc.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: userenv.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: sppc.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: sxs.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: zipfldr.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: windows.fileexplorer.common.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpSection loaded: shdocvw.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeSection loaded: propsys.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeSection loaded: dwmapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeSection loaded: oleacc.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeSection loaded: version.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeSection loaded: shfolder.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeSection loaded: msimg32.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeSection loaded: oledlg.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeSection loaded: winmm.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeSection loaded: msimg32.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeSection loaded: oledlg.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeSection loaded: winmm.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeSection loaded: msimg32.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeSection loaded: oledlg.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeSection loaded: winmm.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeSection loaded: msimg32.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeSection loaded: oledlg.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeSection loaded: winmm.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeSection loaded: msimg32.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeSection loaded: oledlg.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeSection loaded: winmm.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeSection loaded: msimg32.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeSection loaded: oledlg.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeSection loaded: winmm.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeSection loaded: msimg32.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeSection loaded: oledlg.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeSection loaded: winmm.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeSection loaded: msimg32.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeSection loaded: oledlg.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeSection loaded: winmm.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeSection loaded: winmm.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeSection loaded: msimg32.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeSection loaded: oledlg.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeSection loaded: winmm.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeSection loaded: firewallapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeSection loaded: dnsapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeSection loaded: iphlpapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeSection loaded: fwbase.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeSection loaded: fwpolicyiomgr.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeSection loaded: msimg32.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeSection loaded: oledlg.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeSection loaded: winmm.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeSection loaded: ntmarta.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeSection loaded: edputil.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeSection loaded: urlmon.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeSection loaded: iertutil.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeSection loaded: appresolver.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeSection loaded: bcp47langs.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeSection loaded: slc.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeSection loaded: sppc.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeSection loaded: linkinfo.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeSection loaded: ntshrui.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeSection loaded: cscapi.dllJump to behavior
                                Source: C:\Program Files\BitComet\tools\BitCometService.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Program Files\BitComet\tools\BitCometService.exeSection loaded: winmm.dllJump to behavior
                                Source: C:\Program Files\BitComet\tools\BitCometService.exeSection loaded: version.dllJump to behavior
                                Source: C:\Program Files\BitComet\tools\BitCometService.exeSection loaded: ntmarta.dllJump to behavior
                                Source: C:\Program Files\BitComet\tools\BitCometService.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeSection loaded: ieframe.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeSection loaded: iertutil.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeSection loaded: netapi32.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeSection loaded: version.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeSection loaded: winhttp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeSection loaded: wkscli.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeSection loaded: dataexchange.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeSection loaded: d3d11.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeSection loaded: dcomp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeSection loaded: dxgi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeSection loaded: twinapi.appcore.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeSection loaded: propsys.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeSection loaded: urlmon.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeSection loaded: sxs.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeSection loaded: textinputframework.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeSection loaded: coreuicomponents.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeSection loaded: coremessaging.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeSection loaded: ntmarta.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeSection loaded: msiso.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeSection loaded: wininet.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeSection loaded: mswsock.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeSection loaded: iphlpapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeSection loaded: winnsi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeSection loaded: mshtml.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeSection loaded: powrprof.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeSection loaded: umpdc.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeSection loaded: dnsapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeSection loaded: rasadhlp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeSection loaded: fwpuclnt.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeSection loaded: schannel.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeSection loaded: mskeyprotect.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeSection loaded: ntasn1.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeSection loaded: dpapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeSection loaded: cryptsp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeSection loaded: rsaenh.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeSection loaded: gpapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeSection loaded: ncrypt.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeSection loaded: ncryptsslp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeSection loaded: srpapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeSection loaded: secur32.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeSection loaded: mlang.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeSection loaded: jscript9.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeSection loaded: msimtf.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeSection loaded: resourcepolicyclient.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeSection loaded: d2d1.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeSection loaded: dwrite.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeSection loaded: d3d10warp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeSection loaded: dxcore.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeSection loaded: policymanager.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeSection loaded: msvcp110_win.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeSection loaded: profext.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeSection loaded: version.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeSection loaded: cryptsp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeSection loaded: rsaenh.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeSection loaded: rasapi32.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeSection loaded: rasman.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeSection loaded: rtutils.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeSection loaded: mswsock.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeSection loaded: winhttp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeSection loaded: iphlpapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeSection loaded: dhcpcsvc6.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeSection loaded: dhcpcsvc.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeSection loaded: dnsapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeSection loaded: winnsi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeSection loaded: rasadhlp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeSection loaded: fwpuclnt.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeSection loaded: secur32.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeSection loaded: schannel.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeSection loaded: mskeyprotect.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeSection loaded: ntasn1.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeSection loaded: ncrypt.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeSection loaded: ncryptsslp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeSection loaded: gpapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeSection loaded: propsys.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeSection loaded: edputil.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeSection loaded: urlmon.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeSection loaded: iertutil.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeSection loaded: appresolver.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeSection loaded: bcp47langs.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeSection loaded: slc.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeSection loaded: sppc.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeSection loaded: apphelp.dll
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeSection loaded: acgenral.dll
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeSection loaded: uxtheme.dll
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeSection loaded: winmm.dll
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeSection loaded: samcli.dll
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeSection loaded: msacm32.dll
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeSection loaded: version.dll
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeSection loaded: userenv.dll
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeSection loaded: dwmapi.dll
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeSection loaded: urlmon.dll
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeSection loaded: mpr.dll
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeSection loaded: sspicli.dll
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeSection loaded: winmmbase.dll
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeSection loaded: winmmbase.dll
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeSection loaded: iertutil.dll
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeSection loaded: srvcli.dll
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeSection loaded: netutils.dll
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeSection loaded: aclayers.dll
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeSection loaded: sfc.dll
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeSection loaded: sfc_os.dll
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeSection loaded: windows.storage.dll
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeSection loaded: wldp.dll
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeSection loaded: profapi.dll
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeSection loaded: wtsapi32.dll
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeSection loaded: winsta.dll
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeSection loaded: kernel.appcore.dll
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeSection loaded: winhttp.dll
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeSection loaded: webio.dll
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeSection loaded: mswsock.dll
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeSection loaded: iphlpapi.dll
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeSection loaded: winnsi.dll
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeSection loaded: dnsapi.dll
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeSection loaded: rasadhlp.dll
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeSection loaded: fwpuclnt.dll
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeSection loaded: schannel.dll
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeSection loaded: mskeyprotect.dll
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeSection loaded: ntasn1.dll
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeSection loaded: ncrypt.dll
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeSection loaded: ncryptsslp.dll
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeSection loaded: msasn1.dll
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeSection loaded: cryptsp.dll
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeSection loaded: rsaenh.dll
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeSection loaded: cryptbase.dll
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeSection loaded: gpapi.dll
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeSection loaded: dpapi.dll
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeSection loaded: cryptnet.dll
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeSection loaded: uxtheme.dll
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeSection loaded: userenv.dll
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeSection loaded: apphelp.dll
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeSection loaded: propsys.dll
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeSection loaded: dwmapi.dll
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeSection loaded: cryptbase.dll
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeSection loaded: oleacc.dll
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeSection loaded: ntmarta.dll
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeSection loaded: version.dll
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeSection loaded: shfolder.dll
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeSection loaded: kernel.appcore.dll
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeSection loaded: windows.storage.dll
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeSection loaded: wldp.dll
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeSection loaded: profapi.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: apphelp.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: uxtheme.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: winmm.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: urlmon.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: wininet.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: msimg32.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: version.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: oleacc.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: iertutil.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: srvcli.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: netutils.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: wldp.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: profapi.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: dbghelp.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: taskschd.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: sspicli.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: xmllite.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: uxtheme.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: winmm.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: urlmon.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: wininet.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: msimg32.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: version.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: oleacc.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: iertutil.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: srvcli.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: netutils.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: wldp.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: profapi.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: dbghelp.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: mswsock.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: sspicli.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: winhttp.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: winnsi.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: propsys.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: edputil.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: windows.staterepositoryps.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: wintypes.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: appresolver.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: bcp47langs.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: slc.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: userenv.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: sppc.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: onecorecommonproxystub.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: onecoreuapcommonproxystub.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: apphelp.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: firewallapi.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: fwbase.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: fwpolicyiomgr.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: linkinfo.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: textshaping.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: webview2loader.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: windowscodecs.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: thumbcache.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: dataexchange.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: d3d11.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: dcomp.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: dxgi.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: twinapi.appcore.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: textinputframework.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: coreuicomponents.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: coremessaging.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: ntmarta.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: coremessaging.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: ntshrui.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: cscapi.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: policymanager.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: msvcp110_win.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: taskflowdatauser.dll
                                Source: C:\Program Files\BitComet\BitComet.exeSection loaded: cdp.dll
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
                                Source: BitComet.lnk.6.drLNK file: ..\..\..\..\..\..\Program Files\BitComet\BitComet.exe
                                Source: HomePage.lnk.6.drLNK file: ..\..\..\..\..\..\Program Files\BitComet\BitComet.url
                                Source: Uninstall.lnk.6.drLNK file: ..\..\..\..\..\..\Program Files\BitComet\uninst.exe
                                Source: BitComet.lnk0.6.drLNK file: ..\..\..\Program Files\BitComet\BitComet.exe
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile written: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\tmp\5VG4OE52\__AssemblyInfo__.ini
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpWindow found: window name: TSelectLanguageFormJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpAutomated click: OK
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpAutomated click: Next
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpAutomated click: Accept
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpAutomated click: Accept
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpAutomated click: Next
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpAutomated click: Next
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpAutomated click: Next
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpAutomated click: Next
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpAutomated click: Next
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpFile opened: C:\Windows\SysWOW64\MSFTEDIT.DLLJump to behavior
                                Source: Window RecorderWindow detected: More than 3 window changes detected
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpWindow detected: HYPERLINK "http://www.bitcomet.com/doc/term-of-use.php" End User License AgreementHYPERLINK "https://www.bitcomet.com/doc/privacy-policy.php" Privacy PolicyThis will install BitComet to your computer click "Next" to continue.BitComet is a free BitTorrent download client! BitComet is powerful super-fast and easy-to-use.Welcome to BitComet Installer&NextCancel
                                Source: C:\Program Files\BitComet\BitComet.exeWindow detected: Number of UI elements: 40
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitCometJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\ReadMe.txtJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\License.txtJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\ChangeLog.txtJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\BitComet.exeJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\CrashReport.exeJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\WebView2Loader.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\langJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-ar.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-bg.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-bs.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-ca.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-cs.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-da.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-de.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-el.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-en_US.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-es.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-et.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-eu.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-fa.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-fi.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-fr.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-gl.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-he.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-hr.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-hu.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-hy.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-id.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-it.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-ja.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-kk.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-kn.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-ko.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-ku.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-lt.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-lv.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-mk.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-ms.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-nb.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-ne.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-nl.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-pl.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-pt.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-pt_BR.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-ro.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-ru.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-sk.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-sl.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-sq.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-sr.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-sv.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-ta.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-th.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-tr.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-ug.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-uk.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-ur.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-vi.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-zh_CN.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\bitcomet-zh_TW.moJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\lang\HowTo-Translate.txtJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\ip2locationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\ip2location\ip2location.binJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\toolsJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\tools\UPNP.exeJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\tools\VideoSnapshot.exeJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\tools\Updater.exeJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\tools\BitCometToastsNotifier.exeJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\tools\BitCometToastsNotifier.pngJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\tools\ChromeLauncher.exeJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\tools\ChromeLauncherManifest.jsonJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\tools\ChromeExtension.crxJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\tools\EdgeExtension.crxJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\tools\FirefoxLauncherManifest.jsonJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\tools\FirefoxExtension.xpiJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\tools\BitCometAgent_1.92.7.9.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\tools\BitCometBHO_1.5.4.11.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\tools\BitCometService.exeJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\BitComet.urlJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDirectory created: C:\Program Files\BitComet\uninst.exeJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\Uninstall.exe
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\uninstall.ico
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\chrome_100_percent.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\chrome_200_percent.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\icudtl.dat
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\LICENSE
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\LICENSES.chromium.html
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\af.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\am.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\ar.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\bg.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\bn.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\ca.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\cs.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\da.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\de.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\el.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\en-GB.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\en-US.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\es-419.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\es.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\et.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\fa.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\fi.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\fil.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\fr.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\gu.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\he.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\hi.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\hr.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\hu.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\id.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\it.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\ja.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\kn.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\ko.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\lt.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\lv.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\ml.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\mr.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\ms.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\nb.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\nl.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\pl.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\pt-BR.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\pt-PT.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\ro.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\ru.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\sk.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\sl.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\sr.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\sv.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\sw.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\ta.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\te.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\th.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\tr.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\uk.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\ur.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\vi.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\zh-CN.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\zh-TW.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources.pak
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar.sig
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\snapshot_blob.bin
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\v8_context_snapshot.bin
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\version
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\vk_swiftshader_icd.json
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\d3dcompiler_47.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\ffmpeg.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\libEGL.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\libGLESv2.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\vk_swiftshader.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\vulkan-1.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\Uninstall.exe
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\ReasonLabs-EPP.7z
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\amd64
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\ARM64
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\EDR
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\EDR\amd64
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\EDR\x64
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\elam
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\ui
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron-core
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron-core\node_modules
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron-core\node_modules\@reasonsoftware
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron-core\node_modules\@reasonsoftware\rsbridgenapi
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron-core\node_modules\@reasonsoftware\rsbridgenapi\prebuilds
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron-core\node_modules\@reasonsoftware\rsbridgenapi\prebuilds\win32-x64
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\rsbridgenapi
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\rsbridgenapi\prebuilds
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\rsbridgenapi\prebuilds\win32-x64
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state\prebuilds
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state\prebuilds\win32-x64
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\x64
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\elam\evntdrv.xml
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\elam\rselam.cat
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\elam\rsElam.inf
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsClient.Protection.Microphone.dll.config
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsuser.config
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsuserSvc.exe.config
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsExtensionHost.exe.config
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsHelper.exe.config
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsRemediation.exe.config
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\SecurityProductInformation.ini
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\Signatures.dat
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.sig
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron-core\node_modules\@reasonsoftware\rsbridgenapi\prebuilds\win32-x64\rsBridgeNapi.node
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\rsbridgenapi\prebuilds\win32-x64\rsBridgeNapi.node
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state\prebuilds\win32-x64\node.napi.node
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\WhiteList.dat
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\x64\rsKerneluser.inf
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\amd64\KernelTraceControl.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\amd64\msdia140.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\ARM64\KernelTraceControl.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\ARM64\msdia140.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\ARM64\rsYara-ARM64.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\BouncyCastle.Crypto.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\Dia2Lib.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\EDR\amd64\KernelTraceControl.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\EDR\amd64\msdia140.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\EDR\amd64\msvcp140.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\EDR\amd64\vcruntime140.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\EDR\amd64\vcruntime140_1.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\EDR\Dia2Lib.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\EDR\Microsoft.Diagnostics.FastSerialization.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\EDR\Microsoft.Diagnostics.Tracing.TraceEvent.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\EDR\OSExtensions.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\EDR\rsEDRLib.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\EDR\rsEDRSvc.exe
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\EDR\rsuser.Core.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\EDR\rsuser.JSON.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\EDR\rsuser.Loggers.Application.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\EDR\rsuser.Utilities.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Data.SQLite.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.CompilerServices.Unsafe.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\EDR\TraceReloggerLib.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\EDR\Uninstall.exe
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\EDR\x64\SQLite.Interop.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\elam\rsElam.sys
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\InstallerLib.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\mc.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\Microsoft.Bcl.HashCode.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\Microsoft.Diagnostics.FastSerialization.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\Microsoft.Diagnostics.Tracing.TraceEvent.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\Microsoft.Win32.Primitives.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\Microsoft.Win32.Registry.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\Microsoft.Win32.TaskScheduler.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\NAudio.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\netstandard.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsAssistant.exe
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsAtom.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsBridge.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsBuild.Runtime.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsClient.Protection.Microphone.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsDatabase.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsuser.API.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsuser.Client.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsuser.Client.Messages.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsuser.Core.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsuser.Data.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsuser.Extension.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsuser.Features.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsuser.Helper.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsuser.Loggers.Application.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsuser.Loggers.Business.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsuser.Needle.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsuser.Protection.BTScan.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsuser.Protection.Camera.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsuser.Protection.Edr.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsuser.Protection.Microphone.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsuser.Protection.Programs.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsuser.Protection.Ransomware.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsuser.Protection.Self.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsuser.Scan.Detections.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsuser.Scan.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsuser.Scan.OnAccess.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsuser.Scan.OnDemand.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsuser.Scan.Quarantine.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsuser.UDI.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsuser.Updater.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsuser.Utilities.Browsers.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsuser.Utilities.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsuser.Wsc.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsuserSvc.exe
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsuserSvc.Proxy.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsuserSvc.RPC.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsuserSvc.RPC.JSONInterface.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsExtensionHost.exe
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsFrame.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsHelper.exe
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsJSON.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsLitmus.A.exe
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsLitmus.S.exe
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsLogger.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsRemediation.exe
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsServiceController.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsTime.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsWSC.exe
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\rsWSCClient.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\SQLite.Interop.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.AppContext.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Collections.Concurrent.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Collections.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Collections.NonGeneric.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Collections.Specialized.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.ComponentModel.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.ComponentModel.EventBasedAsync.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.ComponentModel.Primitives.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.ComponentModel.TypeConverter.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Console.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Data.Common.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Data.SQLite.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Contracts.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Debug.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.FileVersionInfo.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Process.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.StackTrace.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.TextWriterTraceListener.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Tools.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.TraceSource.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Tracing.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.DirectoryServices.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Drawing.Primitives.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Dynamic.Runtime.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Globalization.Calendars.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Globalization.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Globalization.Extensions.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.IO.Compression.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.IO.Compression.ZipFile.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.IO.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.IO.FileSystem.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.IO.FileSystem.DriveInfo.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.IO.FileSystem.Primitives.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.IO.FileSystem.Watcher.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.IO.IsolatedStorage.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.IO.MemoryMappedFiles.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.IO.Pipes.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.IO.UnmanagedMemoryStream.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Linq.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Linq.Expressions.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Linq.Parallel.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Linq.Queryable.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Net.Http.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Net.NameResolution.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Net.NetworkInformation.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Net.Ping.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Net.Primitives.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Net.Requests.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Net.Security.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Net.Sockets.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Net.WebHeaderCollection.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Net.WebSockets.Client.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Net.WebSockets.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.ObjectModel.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Reflection.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Reflection.Extensions.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Reflection.Primitives.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Resources.Reader.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Resources.ResourceManager.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Resources.Writer.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.CompilerServices.Unsafe.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.CompilerServices.VisualC.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Extensions.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Handles.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.InteropServices.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.InteropServices.RuntimeInformation.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Numerics.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Serialization.Formatters.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Serialization.Json.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Serialization.Primitives.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Serialization.Xml.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Security.AccessControl.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Security.Claims.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.Algorithms.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.Csp.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.Encoding.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.Primitives.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.X509Certificates.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Security.Principal.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Security.Principal.Windows.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Security.SecureString.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Text.Encoding.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Text.Encoding.Extensions.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Text.RegularExpressions.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Threading.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Threading.Overlapped.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Threading.Tasks.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Threading.Tasks.Parallel.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Threading.Thread.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Threading.ThreadPool.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Threading.Timer.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.ValueTuple.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Xml.ReaderWriter.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Xml.XDocument.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Xml.XmlDocument.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Xml.XmlSerializer.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Xml.XPath.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\System.Xml.XPath.XDocument.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\TraceReloggerLib.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\ui\EPP.exe
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\x64\7z64.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\x64\ext_x64.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\x64\lz4_x64.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\x64\rsCamFilter020502.sys
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\x64\rsJournal-x64.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\x64\rsKerneluser.sys
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\x64\rsYara-x64.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\x64\SQLite.Interop.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDirectory created: C:\Program Files\ReasonLabs\EPP\uninstall.ico
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ReasonLabs-EPP
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exeStatic PE information: certificate valid
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exeStatic file information: File size 2596280 > 1048576
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                Source: Binary string: F:\develop\VideoSnap\app\Release_unicode\VideoSnapshot.pdb source: BitComet_2.07_setup.exe, 00000006.00000002.2559900252.0000000002996000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: E:\develop\BitCometAgent_ActiveX\app\Release_Unicode\BitCometAgent_ActiveX.pdb source: BitComet_2.07_setup.exe, 00000006.00000002.2559900252.000000000270A000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: rsAtom.pdb source: mrybn0ui.exe, 0000000E.00000003.2626020716.0000000002731000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\rsStubActivator\rsStubActivator\rsStubActivator\obj\Release\net462\rsStubActivator.pdb source: prod0.exe, 0000000C.00000000.2574778574.000002A71BA42000.00000002.00000001.01000000.0000001A.sdmp
                                Source: Binary string: rsTime.pdb source: mrybn0ui.exe, 0000000E.00000003.2629767360.0000000002730000.00000004.00000020.00020000.00000000.sdmp, Uninstall.exe, 0000001B.00000003.2758473527.0000000002736000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: E:\develop\tools\desktop-toasts\Release\BitCometToastsNotifier.pdb source: BitComet_2.07_setup.exe, 00000006.00000002.2559900252.000000000270A000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\Source\Repos\DS-Platform\zbShield-Utils-CPP\zbShieldUtils\bin\Release\zbShieldUtils.pdb source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2645128806.0000000007670000.00000004.00001000.00020000.00000000.sdmp
                                Source: Binary string: D:\a\rsStub\rsStub\RavStub\obj\Release\RavStub.pdb source: mrybn0ui.exe, 0000000E.00000003.2622602906.000000000273A000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\rsSyncSvc\rsSyncSvc\x64\Release\rsSyncSvc.pdb< source: mrybn0ui.exe, 0000000E.00000003.2631416391.0000000002739000.00000004.00000020.00020000.00000000.sdmp, rsSyncSvc.exe, 00000018.00000000.2675573107.00007FF7E3787000.00000002.00000001.01000000.00000021.sdmp
                                Source: Binary string: D:\a\rsStub\rsStub\x64\Release\ArchiveUtility.pdb source: mrybn0ui.exe, 0000000E.00000003.2623098080.0000000002730000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: d:\Develop\BitCometExtension_IE\app\release_unicode\BitCometBHO.pdb source: BitComet_2.07_setup.exe, 00000006.00000002.2559900252.000000000270A000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\rsStub\rsStub\rsStubLib\obj\Release\rsStubLib.pdb source: mrybn0ui.exe, 0000000E.00000003.2629256451.0000000002736000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: #F:\develop\VideoSnap\app\Release_unicode\VideoSnapshot.pdb source: BitComet_2.07_setup.exe, 00000006.00000002.2559900252.0000000002996000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net452\Microsoft.Win32.TaskScheduler.pdbSHA256 source: mrybn0ui.exe, 0000000E.00000003.2623933047.000000000273D000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: E:\develop\BitCometExtension_Chrome\bc_launcher_for_chrome\Release\ChromeLauncher.pdb source: BitComet_2.07_setup.exe, 00000006.00000002.2559900252.000000000270A000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: rsDatabase.pdb source: mrybn0ui.exe, 0000000E.00000003.2626687861.0000000002733000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netfx\System.ValueTuple.pdb source: mrybn0ui.exe, 0000000E.00000003.2625390581.0000000002739000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: c:\jenkins\workspace\ebAdvisor_WABinary_release_4.1.1\build\Win32\Release\SaBsi.pdb source: saBSI.exe, 0000000D.00000000.2596253742.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmp, saBSI.exe, 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmp
                                Source: Binary string: C:\dev\sqlite\dotnet\obj\2015\System.Data.SQLite.2015\Release\System.Data.SQLite.pdb@ source: mrybn0ui.exe, 0000000E.00000003.2624821496.0000000002737000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\dev\sqlite\dotnet\obj\2015\System.Data.SQLite.2015\Release\System.Data.SQLite.pdb source: mrybn0ui.exe, 0000000E.00000003.2624821496.0000000002737000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: rsLogger.pdb source: mrybn0ui.exe, 0000000E.00000003.2628396239.0000000002736000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net452\Microsoft.Win32.TaskScheduler.pdb source: mrybn0ui.exe, 0000000E.00000003.2623933047.000000000273D000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: rsJSON.pdb source: mrybn0ui.exe, 0000000E.00000003.2627712939.0000000002736000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\develop\CrashReport\CrashRpt_v3\bin\x64\Release LIB\CrashReport.pdbx source: BitComet.exe, 0000000F.00000003.2645391968.00000246CED30000.00000004.00001000.00020000.00000000.sdmp
                                Source: Binary string: D:\a\rsSyncSvc\rsSyncSvc\x64\Release\rsSyncSvc.pdb source: mrybn0ui.exe, 0000000E.00000003.2631416391.0000000002739000.00000004.00000020.00020000.00000000.sdmp, rsSyncSvc.exe, 00000018.00000000.2675573107.00007FF7E3787000.00000002.00000001.01000000.00000021.sdmp
                                Source: Binary string: rsLogger.pdbx source: mrybn0ui.exe, 0000000E.00000003.2628396239.0000000002736000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\develop\BitComet_2.07\app\Release_unicode_x64\GUI_BitComet_wx.pdb source: BitComet.exe, 0000000F.00000000.2641241995.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmp, BitComet.exe, 0000000F.00000002.2658160940.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmp
                                Source: Binary string: D:\develop\CrashReport\CrashRpt_v3\bin\x64\Release LIB\CrashReport.pdb source: BitComet.exe, 0000000F.00000003.2645391968.00000246CED30000.00000004.00001000.00020000.00000000.sdmp
                                Source: is-E8JCH.tmp.2.drStatic PE information: 0xA024B15D [Sat Feb 20 18:01:01 2055 UTC]
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeCode function: 9_2_0040A15D IsProcessorFeaturePresent,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcessHeap,GetProcessHeap,HeapAlloc,InterlockedCompareExchange,GetProcessHeap,HeapFree,9_2_0040A15D
                                Source: zhtj13rq.exe.12.drStatic PE information: real checksum: 0x12c7dd should be: 0x1313f7
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp.0.drStatic PE information: real checksum: 0x0 should be: 0x31af45
                                Source: BcNsisHelperXP.dll.6.drStatic PE information: real checksum: 0x0 should be: 0x31b07
                                Source: is-E8JCH.tmp.2.drStatic PE information: real checksum: 0x15863 should be: 0xdb66
                                Source: BcNsisHelper.dll.6.drStatic PE information: real checksum: 0x0 should be: 0x3103df
                                Source: mrybn0ui.exe.12.drStatic PE information: real checksum: 0x1e2390 should be: 0x1e45bd
                                Source: System.dll.14.drStatic PE information: real checksum: 0x0 should be: 0x3d68
                                Source: BitCometService.exe0.6.drStatic PE information: real checksum: 0x294eeb should be: 0x294d8d
                                Source: uninst.exe.6.drStatic PE information: real checksum: 0x19a4a8f should be: 0x140e3b
                                Source: BitCometService.exe.6.drStatic PE information: real checksum: 0x294eeb should be: 0x294d8d
                                Source: System.dll.6.drStatic PE information: real checksum: 0x0 should be: 0x9091
                                Source: zbShieldUtils.dll.2.drStatic PE information: real checksum: 0x0 should be: 0x1fb3ca
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exeStatic PE information: section name: .didata
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp.0.drStatic PE information: section name: .didata
                                Source: saBSI.exe.2.drStatic PE information: section name: .didat
                                Source: BitComet.exe.6.drStatic PE information: section name: .detourc
                                Source: BitComet.exe.6.drStatic PE information: section name: .detourd
                                Source: WebView2Loader.dll.6.drStatic PE information: section name: .00cfg
                                Source: WebView2Loader.dll.6.drStatic PE information: section name: .gxfg
                                Source: WebView2Loader.dll.6.drStatic PE information: section name: .retplne
                                Source: WebView2Loader.dll.6.drStatic PE information: section name: .voltbl
                                Source: WebView2Loader.dll.6.drStatic PE information: section name: _RDATA
                                Source: VideoSnapshot.exe.6.drStatic PE information: section name: _TEXT64
                                Source: VideoSnapshot.exe.6.drStatic PE information: section name: _RDATA
                                Source: installer.exe.13.drStatic PE information: section name: _RDATA
                                Source: ArchiveUtilityx64.dll.14.drStatic PE information: section name: _RDATA
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeCode function: 9_2_0040ABF1 push ecx; ret 9_2_0040AC04
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_3_05A6BD3B push es; retf 13_3_05A6BD46
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_3_05A6A0E1 push esi; retf 13_3_05A6A0E2
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_3_05A6B36B pushfd ; retf 13_3_05A6B3C1
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00FA8DDB push ecx; ret 13_2_00FA8DEE
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00FD7CFD push ecx; ret 13_2_00FD7D12
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCode function: 25_2_004B2090 push ecx; ret 25_2_004B20A3
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCode function: 25_2_00522513 push ecx; ret 25_2_00522528
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCode function: 25_2_004B26B6 push ecx; ret 25_2_004B26C9
                                Source: BitCometService.exe.6.drStatic PE information: section name: .text entropy: 6.931897898159348
                                Source: BitCometService.exe0.6.drStatic PE information: section name: .text entropy: 6.931897898159348
                                Source: VideoSnapshot.exe.6.drStatic PE information: section name: .text entropy: 6.902269600709831
                                Source: RAVEndPointProtection-installer.exe.14.drStatic PE information: section name: .text entropy: 7.672726174913078
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.IO.FileSystem.DriveInfo.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exeFile created: C:\Users\user\AppData\Local\Temp\nslA035.tmp\fr\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Text.RegularExpressions.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeFile created: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\EDR\rsuser.Core.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\rsRemediation.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeFile created: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\ko-KR\RavStub.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Data.Common.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\NAudio.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\rsLitmus.S.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeFile created: C:\Program Files\BitComet\tools\BitCometAgent_1.92.7.9.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\rsuserSvc.RPC.JSONInterface.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Serialization.Formatters.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\elam\rsElam.sysJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\rsuser.Loggers.Application.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\tmp\BU6GPN3I\rsLogger.DLLJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exeFile created: C:\Users\user\AppData\Local\Temp\nslA035.tmp\th-TH\RavStub.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpFile created: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\is-E8JCH.tmpJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeFile created: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\hu-HU\RavStub.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Security.AccessControl.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.ObjectModel.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Runtime.InteropServices.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeFile created: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\el-GR\RavStub.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\ARM64\KernelTraceControl.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.ComponentModel.Primitives.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\x64\rsKerneluser.sysJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Windows\System32\drivers\rsCamFilter020502.sysJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Collections.NonGeneric.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\EDR\amd64\msvcp140.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\Microsoft.Diagnostics.Tracing.TraceEvent.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\Microsoft.Win32.Primitives.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeFile created: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\rsTime.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.Encoding.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\d3dcompiler_47.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exeFile created: C:\Users\user\AppData\Local\Temp\nslA035.tmp\pl-PL\RavStub.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exeFile created: C:\Users\user\AppData\Local\Temp\nslA035.tmp\sl-SI\RavStub.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exeFile created: C:\Users\user\AppData\Local\Temp\nslA035.tmp\rsAtom.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeFile created: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\sl\RavStub.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\ffmpeg.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Globalization.Calendars.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Net.WebHeaderCollection.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeFile created: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\fr-FR\RavStub.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\rsuser.Helper.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.IO.UnmanagedMemoryStream.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Tracing.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeFile created: C:\Program Files\BitComet\tools\ChromeLauncher.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\EDR\rsEDRSvc.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exeFile created: C:\Users\user\AppData\Local\Temp\nslA035.tmp\it\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeFile created: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\installer.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeFile created: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\it-IT\RavStub.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exeFile created: C:\Users\user\AppData\Local\Temp\nslA035.tmp\rsLogger.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Process.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\x64\7z64.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Tools.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exeFile created: C:\Users\user\AppData\Local\Temp\nslA035.tmp\cs-CZ\RavStub.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\SQLite.Interop.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Linq.Parallel.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeFile created: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\pt\RavStub.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Threading.ThreadPool.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\EDR\amd64\KernelTraceControl.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeFile created: C:\Program Files\BitComet\uninst.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exeFile created: C:\Users\user\AppData\Local\Temp\nslA035.tmp\ru-RU\RavStub.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exeFile created: C:\Users\user\AppData\Local\Temp\nslA035.tmp\pt\RavStub.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Xml.XmlSerializer.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.AppContext.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exeFile created: C:\Users\user\AppData\Local\Temp\nslA035.tmp\vi-VN\RavStub.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exeFile created: C:\Users\user\AppData\Local\Temp\nslA035.tmp\de-DE\RavStub.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\rsDatabase.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeFile created: C:\Users\user\AppData\Local\Temp\nsq7AD9.tmp\System.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.ValueTuple.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exeFile created: C:\Users\user\AppData\Local\Temp\nslA035.tmp\fil-PH\RavStub.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exeFile created: C:\Users\user\AppData\Local\Temp\nslA035.tmp\Microsoft.Win32.TaskScheduler.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\tmp\DLXGRDLP\rsAtom.DLLJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Net.Primitives.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\rsClient.Protection.Microphone.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\Uninstall.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Threading.Thread.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\rsWSC.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exeFile created: C:\Users\user\AppData\Local\Temp\nslA035.tmp\nb-NO\RavStub.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Collections.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeFile created: C:\Program Files\BitComet\tools\BitCometToastsNotifier.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeFile created: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\tr-TR\RavStub.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\rsuserSvc.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\x64\rsYara-x64.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeFile created: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\sv-SE\RavStub.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeFile created: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\id-ID\RavStub.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\tmp\A7N48WB7\rsJSON.DLLJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exeFile created: C:\Users\user\AppData\Local\Temp\nslA035.tmp\pt-BR\RavStub.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeFile created: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\rsSyncSvc.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Threading.Tasks.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Text.Encoding.Extensions.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\rsServiceController.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Xml.ReaderWriter.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exeFile created: C:\Users\user\AppData\Local\Temp\nslA035.tmp\ru\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeFile created: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\rsJSON.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron-core\node_modules\@reasonsoftware\rsbridgenapi\prebuilds\win32-x64\rsBridgeNapi.nodeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exeFile created: C:\Users\user\AppData\Local\Temp\nslA035.tmp\rsDatabase.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exeFile created: C:\Users\user\AppData\Local\Temp\nslA035.tmp\nl-NL\RavStub.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Linq.Expressions.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\rsuser.Protection.Ransomware.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\netstandard.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exeFile created: C:\Users\user\AppData\Local\Temp\nslA035.tmp\sl\RavStub.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeFile created: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\da-DK\RavStub.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exeFile created: C:\Users\user\AppData\Local\Temp\nslA035.tmp\sk-SK\RavStub.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exeFile created: C:\Users\user\AppData\Local\Temp\nslA035.tmp\da-DK\RavStub.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\rsuser.Protection.Programs.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.StackTrace.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeFile created: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\Microsoft.Win32.TaskScheduler.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\EDR\rsuser.Utilities.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.Primitives.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\rsuser.Protection.Edr.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\ui\EPP.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\rsuser.Wsc.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeFile created: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\System.ValueTuple.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Text.Encoding.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.IO.FileSystem.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpFile created: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exe (copy)Jump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.DirectoryServices.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exeFile created: C:\Users\user\AppData\Local\Temp\nslA035.tmp\de\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\rsJSON.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Globalization.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeFile created: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\nl-NL\RavStub.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Extensions.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.IO.MemoryMappedFiles.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\BouncyCastle.Crypto.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeFile created: C:\Program Files\BitComet\tools\BitCometService.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exeFile created: C:\Users\user\AppData\Local\Temp\nslA035.tmp\id-ID\RavStub.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\EDR\amd64\msdia140.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exeFile created: C:\Users\user\AppData\Local\Temp\nslA035.tmp\tr-TR\RavStub.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeFile created: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\pt-BR\RavStub.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Reflection.Primitives.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\libEGL.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exeFile created: C:\Users\user\AppData\Local\Temp\nslA035.tmp\sv-SE\RavStub.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\EDR\Uninstall.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Net.WebSockets.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Threading.Overlapped.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.IO.Pipes.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\x64\rsJournal-x64.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Drawing.Primitives.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exeFile created: C:\Users\user\AppData\Local\Temp\nslA035.tmp\zh-CN\RavStub.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Handles.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeFile created: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\zh-TW\RavStub.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeFile created: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\de\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Linq.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeFile created: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\es-ES\RavStub.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exeFile created: C:\Users\user\AppData\Local\Temp\nslA035.tmp\rsTime.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Serialization.Primitives.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\rsLitmus.A.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exeFile created: C:\Users\user\AppData\Local\Temp\nslA035.tmp\hu-HU\RavStub.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exeFile created: C:\Users\user\AppData\Local\Temp\nslA035.tmp\rsSyncSvc.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeFile created: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\sk-SK\RavStub.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.X509Certificates.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeFile created: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Resources.ResourceManager.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpFile created: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\rsuser.Loggers.Business.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\EDR\amd64\vcruntime140.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\rsuser.Scan.OnDemand.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeFile created: C:\Program Files\BitComet\tools\UPNP.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\TraceReloggerLib.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\tmp\5VG4OE52\rsStubLib.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeFile created: C:\Program Files\BitComet\CrashReport.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\rsuser.Scan.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\rsuser.Extension.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\EDR\TraceReloggerLib.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exeFile created: C:\Users\user\AppData\Local\Temp\nslA035.tmp\zh-TW\RavStub.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Reflection.Extensions.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeFile created: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\zh-CN\RavStub.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Collections.Concurrent.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\x64\SQLite.Interop.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpFile created: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\is-JOE6V.tmpJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\rsuser.UDI.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exeFile created: C:\Users\user\AppData\Local\Temp\nslA035.tmp\fr-FR\RavStub.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\rsuser.Protection.Microphone.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeFile created: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\sl-SI\RavStub.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeFile created: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\fr\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.IO.Compression.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\EDR\System.Data.SQLite.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\rsuser.Scan.Detections.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\rsuser.Utilities.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Runtime.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeFile created: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\rsLogger.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\rsAssistant.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exeFile created: C:\Users\user\AppData\Local\Temp\nsqA005.tmp\System.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.TraceSource.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\vk_swiftshader.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\rsuser.Protection.BTScan.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Net.Ping.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state\prebuilds\win32-x64\node.napi.nodeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\rsuser.Core.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpFile created: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe (copy)Jump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exeFile created: C:\Users\user\AppData\Local\Temp\nslA035.tmp\zh-CN\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exeFile created: C:\Users\user\AppData\Local\Temp\nslA035.tmp\System.Data.SQLite.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeFile created: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\ro-RO\RavStub.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeFile created: C:\Program Files\BitComet\BitComet.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeFile created: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\ru-RU\RavStub.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\x64\lz4_x64.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Windows\System32\drivers\rsKerneluser.sysJump to dropped file
                                Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exeFile created: C:\Users\user\AppData\Local\Temp\nst9B90.tmp\System.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Net.WebSockets.Client.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exeFile created: C:\Users\user\AppData\Local\Temp\nslA035.tmp\RAVEndPointProtection-installer.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Serialization.Json.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exeFile created: C:\Users\user\AppData\Local\Temp\nslA035.tmp\System.ValueTuple.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Security.Principal.Windows.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeFile created: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\th-TH\RavStub.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeFile created: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Xml.XPath.XDocument.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\rsbridgenapi\prebuilds\win32-x64\rsBridgeNapi.nodeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\EDR\Microsoft.Diagnostics.Tracing.TraceEvent.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exeFile created: C:\Users\user\AppData\Local\Temp\nslA035.tmp\el-GR\RavStub.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Resources.Reader.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Xml.XDocument.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.IO.FileSystem.Watcher.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\rsTime.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.IO.FileSystem.Primitives.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exeFile created: C:\Users\user\AppData\Local\Temp\nslA035.tmp\es-ES\RavStub.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeFile created: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\fil-PH\RavStub.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeFile created: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BcNsisHelperXP.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exeFile created: C:\Users\user\AppData\Local\Temp\nslA035.tmp\zh-Hant\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Security.Claims.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Xml.XmlDocument.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\rsLogger.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\rsuser.Features.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\tmp\EF17UA5X\rsServiceController.DLLJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeFile created: C:\Users\user\AppData\Local\Temp\zhtj13rq.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Runtime.CompilerServices.VisualC.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeFile created: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\zh-CN\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeFile created: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\pl-PL\RavStub.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Net.Security.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Net.Sockets.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Serialization.Xml.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\EDR\rsEDRLib.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.IO.Compression.ZipFile.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeFile created: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\zh-Hant\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeFile created: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\de-DE\RavStub.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exeFile created: C:\Users\user\AppData\Local\Temp\nslA035.tmp\ko-KR\RavStub.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Net.Requests.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\rsExtensionHost.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\amd64\msdia140.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\rsuser.Data.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeFile created: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\cs-CZ\RavStub.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\EDR\Dia2Lib.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.ComponentModel.TypeConverter.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeFile created: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\hr-HR\RavStub.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.Algorithms.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exeFile created: C:\Users\user\AppData\Local\Temp\nslA035.tmp\it-IT\RavStub.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeFile created: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\nb-NO\RavStub.resources.dllJump to dropped file
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exeFile created: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Contracts.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\Dia2Lib.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpFile created: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0 (copy)Jump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeFile created: C:\Program Files\BitComet\WebView2Loader.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\rsHelper.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeFile created: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\it\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exeFile created: C:\Users\user\AppData\Local\Temp\nslA035.tmp\rsJSON.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\EDR\x64\SQLite.Interop.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\InstallerLib.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\EDR\Microsoft.Diagnostics.FastSerialization.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpFile created: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\_isetup\_setup64.tmpJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeFile created: C:\Program Files\BitComet\tools\BitCometBHO_1.5.4.11.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\rsuser.Utilities.Browsers.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeFile created: C:\Program Files\BitComet\tools\Updater.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeFile created: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BcNsisHelper.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Linq.Queryable.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\rsAtom.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Xml.XPath.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Net.Http.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeFile created: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\rsStubLib.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\x64\rsCamFilter020502.sysJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\rsuser.Client.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Collections.Specialized.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exeFile created: C:\Users\user\AppData\Local\Temp\nslA035.tmp\ja-JP\RavStub.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Reflection.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeFile created: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\vi-VN\RavStub.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\ARM64\msdia140.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeFile created: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\ru\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.IO.IsolatedStorage.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\rsuser.Protection.Self.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\rsuser.Scan.Quarantine.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Threading.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Globalization.Extensions.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\rsuser.Scan.OnAccess.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\rsWSCClient.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.IO.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Console.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exeFile created: C:\Users\user\AppData\Local\Temp\nslA035.tmp\hr-HR\RavStub.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeFile created: C:\Program Files\BitComet\tools\VideoSnapshot.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\Microsoft.Bcl.HashCode.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\rsuserSvc.RPC.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\rsuser.Needle.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\x64\ext_x64.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.Csp.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Resources.Writer.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeFile created: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\rsAtom.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\mc.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\rsuser.Updater.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Threading.Tasks.Parallel.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Net.NetworkInformation.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Threading.Timer.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\EDR\amd64\vcruntime140_1.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\rsBridge.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\rsClientSvc.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\rsBuild.Runtime.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Net.NameResolution.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeFile created: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\pl\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\rsuserSvc.Proxy.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Dynamic.Runtime.dllJump to dropped file
                                Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exeFile created: C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeFile created: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\fi-FI\RavStub.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\rsFrame.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeFile created: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\rsDatabase.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Security.Principal.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\Microsoft.Win32.Registry.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exeFile created: C:\Users\user\AppData\Local\Temp\nslA035.tmp\pl\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeFile created: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitCometService.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Security.SecureString.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeFile created: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\http_Downloader.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\ARM64\rsYara-ARM64.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Data.SQLite.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\Microsoft.Diagnostics.FastSerialization.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\vulkan-1.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exeFile created: C:\Users\user\AppData\Local\Temp\nslA035.tmp\pt-PT\RavStub.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeFile created: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\System.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exeFile created: C:\Users\user\AppData\Local\Temp\nslA035.tmp\ro-RO\RavStub.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.FileVersionInfo.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exeFile created: C:\Users\user\AppData\Local\Temp\nslA035.tmp\es\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\Microsoft.Win32.TaskScheduler.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.TextWriterTraceListener.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeFile created: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\ja-JP\RavStub.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Runtime.Numerics.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\libGLESv2.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\EDR\rsuser.Loggers.Application.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exeFile created: C:\Users\user\AppData\Local\Temp\nslA035.tmp\rsStubLib.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\rsuser.Client.Messages.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\rsuser.API.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeFile created: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\ArchiveUtilityx64.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\amd64\KernelTraceControl.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpFile created: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\zbShieldUtils.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.ComponentModel.EventBasedAsync.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Debug.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Windows\System32\drivers\rsElam.sysJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\rsuser.Protection.Camera.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeFile created: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\hi-IN\RavStub.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeFile created: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\es\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\EDR\OSExtensions.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\EDR\rsuser.JSON.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exeFile created: C:\Users\user\AppData\Local\Temp\nslA035.tmp\ArchiveUtilityx64.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exeFile created: C:\Users\user\AppData\Local\Temp\nslA035.tmp\hi-IN\RavStub.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exeFile created: C:\Users\user\AppData\Local\Temp\nslA035.tmp\fi-FI\RavStub.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeFile created: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\pt-PT\RavStub.resources.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\System.ComponentModel.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeFile created: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\System.Data.SQLite.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Windows\System32\drivers\rsKerneluser.sysJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Windows\System32\drivers\rsElam.sysJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Windows\System32\drivers\rsCamFilter020502.sysJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron-core\node_modules\@reasonsoftware\rsbridgenapi\prebuilds\win32-x64\rsBridgeNapi.nodeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\rsbridgenapi\prebuilds\win32-x64\rsBridgeNapi.nodeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state\prebuilds\win32-x64\node.napi.nodeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RAVEndPointProtection-installer.exe.log
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeFile created: C:\Program Files\BitComet\ReadMe.txtJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeFile created: C:\Program Files\BitComet\License.txtJump to behavior

                                Boot Survival

                                barindex
                                Installs Task Scheduler Managed Wrapper
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeFile created: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\Microsoft.Win32.TaskScheduler.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile created: C:\Program Files\ReasonLabs\EPP\Microsoft.Win32.TaskScheduler.dll
                                Source: C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exeFile created: C:\Users\user\AppData\Local\Temp\nslA035.tmp\Microsoft.Win32.TaskScheduler.dll
                                Source: C:\Program Files\BitComet\tools\BitCometService.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BITCOMET_HELPER_SERVICEJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BitComet (64-bit)Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BitComet (64-bit)\BitComet.lnkJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BitComet (64-bit)\HomePage.lnkJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BitComet (64-bit)\Uninstall.lnkJump to behavior
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeCode function: 21_2_00007FF7E36F4BB0 RegCreateKeyExW,RegCloseKey,OutputDebugStringW,OpenSCManagerW,OpenServiceW,CloseServiceHandle,ControlService,DeleteService,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherW,OutputDebugStringW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,21_2_00007FF7E36F4BB0

                                Hooking and other Techniques for Hiding and Protection

                                barindex
                                Hides that the sample has been downloaded from the Internet (zone.identifier)
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile opened: C:\Program Files\ReasonLabs\EPP\Uninstall.exe:Zone.Identifier read attributes | delete
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00F60540 EnterCriticalSection,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LeaveCriticalSection,13_2_00F60540
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                                Source: C:\Program Files\BitComet\BitComet.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                                Source: C:\Program Files\BitComet\BitComet.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                                Source: C:\Program Files\BitComet\BitComet.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                                Source: C:\Program Files\BitComet\tools\UPNP.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                                Source: C:\Program Files\BitComet\tools\UPNP.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 Blob
                                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files\BitComet\tools\BitCometService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files\BitComet\tools\BitCometService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files\BitComet\tools\BitCometService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files\BitComet\tools\BitCometService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\BitComet.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\tools\BitCometService.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\BitComet\tools\BitCometService.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeMemory allocated: 31E0000 memory reserve | memory write watchJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeMemory allocated: 3840000 memory commit | memory reserve | memory write watchJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeMemory allocated: 39C0000 memory commit | memory reserve | memory write watchJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeMemory allocated: 39E0000 memory commit | memory reserve | memory write watchJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeMemory allocated: 3D10000 memory commit | memory reserve | memory write watchJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeMemory allocated: 7A50000 memory commit | memory reserve | memory write watchJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeMemory allocated: 7AB0000 memory commit | memory reserve | memory write watchJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeMemory allocated: 7B30000 memory commit | memory reserve | memory write watchJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeMemory allocated: 7BB0000 memory commit | memory reserve | memory write watchJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeMemory allocated: 7C30000 memory commit | memory reserve | memory write watchJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeMemory allocated: 7C70000 memory commit | memory reserve | memory write watchJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeMemory allocated: 7D30000 memory commit | memory reserve | memory write watchJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeMemory allocated: 7DB0000 memory commit | memory reserve | memory write watchJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeMemory allocated: 7E50000 memory commit | memory reserve | memory write watchJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeMemory allocated: 7B10000 memory commit | memory reserve | memory write watchJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeMemory allocated: 7BD0000 memory commit | memory reserve | memory write watchJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeMemory allocated: 7E70000 memory commit | memory reserve | memory write watchJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeMemory allocated: 7E90000 memory commit | memory reserve | memory write watchJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeMemory allocated: 7EB0000 memory commit | memory reserve | memory write watchJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeMemory allocated: 7EF0000 memory commit | memory reserve | memory write watchJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeMemory allocated: 7F50000 memory commit | memory reserve | memory write watchJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeMemory allocated: 7F70000 memory commit | memory reserve | memory write watchJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeMemory allocated: 7F90000 memory commit | memory reserve | memory write watchJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeMemory allocated: 7FD0000 memory commit | memory reserve | memory write watchJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeMemory allocated: 7FF0000 memory commit | memory reserve | memory write watchJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeMemory allocated: 8390000 memory commit | memory reserve | memory write watchJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeMemory allocated: 85B0000 memory commit | memory reserve | memory write watchJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeMemory allocated: 85D0000 memory commit | memory reserve | memory write watchJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeMemory allocated: 85F0000 memory commit | memory reserve | memory write watchJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeMemory allocated: 8630000 memory commit | memory reserve | memory write watchJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeMemory allocated: 86C0000 memory commit | memory reserve | memory write watchJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeMemory allocated: 8740000 memory commit | memory reserve | memory write watchJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeMemory allocated: 8800000 memory commit | memory reserve | memory write watchJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeMemory allocated: 8860000 memory commit | memory reserve | memory write watchJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeMemory allocated: 88E0000 memory commit | memory reserve | memory write watchJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeMemory allocated: 78F0000 memory commit | memory reserve | memory write watchJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeMemory allocated: 79B0000 memory commit | memory reserve | memory write watchJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeMemory allocated: 79F0000 memory commit | memory reserve | memory write watchJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeMemory allocated: 8010000 memory commit | memory reserve | memory write watchJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeMemory allocated: 8030000 memory commit | memory reserve | memory write watchJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeMemory allocated: 8690000 memory commit | memory reserve | memory write watchJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeMemory allocated: 8930000 memory commit | memory reserve | memory write watchJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeMemory allocated: 8950000 memory commit | memory reserve | memory write watchJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeMemory allocated: 8970000 memory commit | memory reserve | memory write watchJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeMemory allocated: 8990000 memory commit | memory reserve | memory write watchJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeMemory allocated: 89B0000 memory commit | memory reserve | memory write watchJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeMemory allocated: 89D0000 memory commit | memory reserve | memory write watchJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeMemory allocated: 89F0000 memory commit | memory reserve | memory write watchJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeMemory allocated: 2A71BD70000 memory reserve | memory write watchJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeMemory allocated: 2A735880000 memory reserve | memory write watchJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeMemory allocated: 20956DF0000 memory reserve | memory write watch
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeMemory allocated: 209708A0000 memory reserve | memory write watch
                                Source: C:\Program Files\BitComet\tools\BitCometService.exeCode function: 8_2_00401440 rdtsc 8_2_00401440
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00F34C8E GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,13_2_00F34C8E
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeThread delayed: delay time: 922337203685477Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeThread delayed: delay time: 922337203685477
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeThread delayed: delay time: 922337203685477
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeThread delayed: delay time: 922337203685477
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeWindow / User API: threadDelayed 834Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeWindow / User API: threadDelayed 952Jump to behavior
                                Source: C:\Program Files\BitComet\BitComet.exeWindow / User API: foregroundWindowGot 928
                                Source: C:\Program Files\BitComet\tools\BitCometService.exeWindow / User API: threadDelayed 7290
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeWindow / User API: threadDelayed 6175
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeWindow / User API: threadDelayed 1219
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.IO.FileSystem.DriveInfo.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Text.RegularExpressions.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\rsuser.Core.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsRemediation.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Data.Common.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\NAudio.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsLitmus.S.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDropped PE file which has not been started: C:\Program Files\BitComet\tools\BitCometAgent_1.92.7.9.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsuserSvc.RPC.JSONInterface.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Runtime.Serialization.Formatters.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\elam\rsElam.sysJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsuser.Loggers.Application.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\tmp\BU6GPN3I\rsLogger.DLLJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Security.AccessControl.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.ObjectModel.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\ARM64\KernelTraceControl.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\x64\rsKerneluser.sysJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Windows\System32\drivers\rsCamFilter020502.sysJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Collections.NonGeneric.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\amd64\msvcp140.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\Microsoft.Diagnostics.Tracing.TraceEvent.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\rsTime.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.Encoding.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\d3dcompiler_47.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nslA035.tmp\rsAtom.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\ffmpeg.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Globalization.Calendars.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Net.WebHeaderCollection.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsuser.Helper.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.IO.UnmanagedMemoryStream.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Tracing.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\rsEDRSvc.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDropped PE file which has not been started: C:\Program Files\BitComet\tools\ChromeLauncher.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\installer.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nslA035.tmp\rsLogger.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Process.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\x64\7z64.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Tools.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Linq.Parallel.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\SQLite.Interop.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Threading.ThreadPool.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\amd64\KernelTraceControl.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDropped PE file which has not been started: C:\Program Files\BitComet\uninst.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.AppContext.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Xml.XmlSerializer.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsDatabase.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsq7AD9.tmp\System.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.ValueTuple.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nslA035.tmp\Microsoft.Win32.TaskScheduler.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\tmp\DLXGRDLP\rsAtom.DLLJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsClient.Protection.Microphone.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Threading.Thread.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsWSC.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Collections.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsuserSvc.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDropped PE file which has not been started: C:\Program Files\BitComet\tools\BitCometToastsNotifier.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\x64\rsYara-x64.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\tmp\A7N48WB7\rsJSON.DLLJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Threading.Tasks.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Text.Encoding.Extensions.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsServiceController.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Xml.ReaderWriter.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\rsJSON.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron-core\node_modules\@reasonsoftware\rsbridgenapi\prebuilds\win32-x64\rsBridgeNapi.nodeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nslA035.tmp\rsDatabase.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Linq.Expressions.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\netstandard.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsuser.Protection.Ransomware.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsuser.Protection.Programs.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.StackTrace.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\Microsoft.Win32.TaskScheduler.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsuser.Protection.Edr.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsuser.Wsc.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\ui\EPP.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\System.ValueTuple.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Text.Encoding.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.IO.FileSystem.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsJSON.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Globalization.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Runtime.Extensions.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\BouncyCastle.Crypto.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\amd64\msdia140.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\libEGL.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\Uninstall.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Net.WebSockets.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Threading.Overlapped.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\x64\rsJournal-x64.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Linq.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nslA035.tmp\rsTime.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsLitmus.A.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Resources.ResourceManager.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsuser.Loggers.Business.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\amd64\vcruntime140.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsuser.Scan.OnDemand.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\TraceReloggerLib.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\tmp\5VG4OE52\rsStubLib.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsuser.Scan.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDropped PE file which has not been started: C:\Program Files\BitComet\CrashReport.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsuser.Extension.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\TraceReloggerLib.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Reflection.Extensions.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Collections.Concurrent.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\x64\SQLite.Interop.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsuser.UDI.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsuser.Protection.Microphone.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.IO.Compression.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Data.SQLite.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsuser.Scan.Detections.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Runtime.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\rsLogger.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsAssistant.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsqA005.tmp\System.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.TraceSource.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\vk_swiftshader.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsuser.Protection.BTScan.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Net.Ping.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state\prebuilds\win32-x64\node.napi.nodeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsuser.Core.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nslA035.tmp\System.Data.SQLite.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Windows\System32\drivers\rsKerneluser.sysJump to dropped file
                                Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nst9B90.tmp\System.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\x64\lz4_x64.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Net.WebSockets.Client.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nslA035.tmp\System.ValueTuple.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Runtime.Serialization.Json.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Security.Principal.Windows.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Xml.XPath.XDocument.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\Microsoft.Diagnostics.Tracing.TraceEvent.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\rsbridgenapi\prebuilds\win32-x64\rsBridgeNapi.nodeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Resources.Reader.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Xml.XDocument.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.IO.FileSystem.Watcher.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsTime.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BcNsisHelperXP.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Security.Claims.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Xml.XmlDocument.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsLogger.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\tmp\EF17UA5X\rsServiceController.DLLJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Runtime.CompilerServices.VisualC.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\zhtj13rq.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Net.Security.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Net.Sockets.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Runtime.Serialization.Xml.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\rsEDRLib.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.IO.Compression.ZipFile.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Net.Requests.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\amd64\msdia140.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsExtensionHost.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsuser.Data.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\Dia2Lib.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.ComponentModel.TypeConverter.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.Algorithms.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\Dia2Lib.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Contracts.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsHelper.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nslA035.tmp\rsJSON.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\x64\SQLite.Interop.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\InstallerLib.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\Microsoft.Diagnostics.FastSerialization.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\_isetup\_setup64.tmpJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDropped PE file which has not been started: C:\Program Files\BitComet\tools\BitCometBHO_1.5.4.11.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsuser.Utilities.Browsers.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDropped PE file which has not been started: C:\Program Files\BitComet\tools\Updater.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BcNsisHelper.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Linq.Queryable.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsAtom.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Xml.XPath.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Net.Http.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\x64\rsCamFilter020502.sysJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\rsStubLib.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Collections.Specialized.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsuser.Client.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Reflection.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\ARM64\msdia140.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.IO.IsolatedStorage.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsuser.Protection.Self.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsuser.Scan.Quarantine.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Threading.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Globalization.Extensions.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsuser.Scan.OnAccess.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.IO.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsWSCClient.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Console.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDropped PE file which has not been started: C:\Program Files\BitComet\tools\VideoSnapshot.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\Microsoft.Bcl.HashCode.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsuserSvc.RPC.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsuser.Needle.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\x64\ext_x64.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.Csp.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Resources.Writer.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\rsAtom.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\mc.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsuser.Updater.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Net.NetworkInformation.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Threading.Tasks.Parallel.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Threading.Timer.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsClientSvc.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\amd64\vcruntime140_1.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsBridge.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsBuild.Runtime.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Net.NameResolution.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Dynamic.Runtime.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsuserSvc.Proxy.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsFrame.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\rsDatabase.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Security.Principal.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\Microsoft.Win32.Registry.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Security.SecureString.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\http_Downloader.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\ARM64\rsYara-ARM64.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Data.SQLite.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\Microsoft.Diagnostics.FastSerialization.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\vulkan-1.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\System.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.FileVersionInfo.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\Microsoft.Win32.TaskScheduler.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.TextWriterTraceListener.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Runtime.Numerics.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\Common\Client\v1.4.2\libGLESv2.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\rsuser.Loggers.Application.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nslA035.tmp\rsStubLib.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsuser.API.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\ArchiveUtilityx64.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\amd64\KernelTraceControl.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.ComponentModel.EventBasedAsync.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\zbShieldUtils.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Debug.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Windows\System32\drivers\rsElam.sysJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\rsuser.Protection.Camera.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\OSExtensions.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\EDR\rsuser.JSON.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nslA035.tmp\ArchiveUtilityx64.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeDropped PE file which has not been started: C:\Program Files\ReasonLabs\EPP\System.ComponentModel.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\mrybn0ui.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\System.Data.SQLite.dllJump to dropped file
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeAPI coverage: 4.7 %
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp TID: 5764Thread sleep time: -30000s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp TID: 6364Thread sleep time: -60000s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp TID: 5764Thread sleep time: -30000s >= -30000sJump to behavior
                                Source: C:\Windows\System32\svchost.exe TID: 6108Thread sleep time: -30000s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exe TID: 5944Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exe TID: 5944Thread sleep time: -75000s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exe TID: 7300Thread sleep count: 834 > 30Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exe TID: 7300Thread sleep count: 952 > 30Jump to behavior
                                Source: C:\Program Files\BitComet\tools\BitCometService.exe TID: 5904Thread sleep count: 7290 > 30
                                Source: C:\Program Files\BitComet\tools\BitCometService.exe TID: 5904Thread sleep time: -72900s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe TID: 7040Thread sleep time: -1844674407370954s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe TID: 2304Thread sleep count: 6175 > 30
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe TID: 2304Thread sleep count: 1219 > 30
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe TID: 2572Thread sleep time: -1844674407370954s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe TID: 7040Thread sleep time: -60000s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe TID: 3604Thread sleep time: -30000s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe TID: 3192Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\d0010809
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeLast function: Thread delayed
                                Source: C:\Program Files\BitComet\tools\BitCometService.exeLast function: Thread delayed
                                Source: C:\Program Files\BitComet\tools\BitCometService.exeLast function: Thread delayed
                                Source: C:\Program Files\BitComet\tools\BitCometService.exeThread sleep count: Count: 7290 delay: -10
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpFile Volume queried: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp FullSizeInformationJump to behavior
                                Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exeFile Volume queried: C:\ FullSizeInformation
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeFile Volume queried: C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Code Cache\js FullSizeInformation
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeFile Volume queried: C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Code Cache\wasm FullSizeInformation
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeFile Volume queried: C:\Users\user\AppData\Local\BitComet\EBWebView\Default\blob_storage\d6cfa668-35db-4418-846a-5923e97eb4ed FullSizeInformation
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeFile Volume queried: C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Cache\Cache_Data FullSizeInformation
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeCode function: 6_2_0040672B FindFirstFileW,FindClose,6_2_0040672B
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeCode function: 6_2_00405AFA CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,6_2_00405AFA
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeCode function: 6_2_00402868 FindFirstFileW,6_2_00402868
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00FC9BF0 FindFirstFileExW,13_2_00FC9BF0
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCode function: 25_2_004CDF28 FindFirstFileExW,25_2_004CDF28
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00F92782 VirtualQuery,GetSystemInfo,13_2_00F92782
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeThread delayed: delay time: 922337203685477Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeThread delayed: delay time: 922337203685477
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeThread delayed: delay time: 922337203685477
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeThread delayed: delay time: 60000
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeThread delayed: delay time: 922337203685477
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpFile opened: C:\Users\user\AppDataJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpFile opened: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmpJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpFile opened: C:\Users\user\AppData\LocalJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpFile opened: C:\Users\userJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpFile opened: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extractJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2288211314.0000000000A55000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Uninstall\\360TotalSecurity","360TotalSecurity","360Safe","VMware, Inc."],"cp":"https://www.360totalsecurity.com/en/privacy/","ctu":"https://www.360totalsecurity.com/en/license/","pv":"1.26","cbfo":true,"v":1}},{"ad":{"n":"","f":"ZB_Opera_re_V3","o":"Opera_reengaged"},"ps":{"i":"Opera/images/DOTPS-483/EN.png","dn":"Opera","u":"Opera/files/1499/OperaSetup.zip","p":"--silent --allusers=0 --otd=utm.medium:pb,utm.source:ais,utm.campaign:opera_reengaged","c":"opera_reengaged","a":["OperaSetup","OperaSetup.exe","OperaGXSetup.exe","OperaGXSetup"],"ir":["Opera Software"],"rp":["Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\^Opera"],"cp":"https://www.opera.com/he/privacy","ctu":"https://www.opera.com/he/eula/computers","ov":100,"cbfo":true,"pv":"1.34","v":3,"x":3}},{"ad":{"n":9,"nn":"Med_Ntiles","f":"ZB_Avast","o":"AVAST"},"ps":{"i":"AVAST/images/DOTPS-403/EN.png","dn":"Avast Antivirus","u":"AVAST/files/cookie_mmm_irs_ppi_005_888_a.zip","p":"/silent /ws /psh:{pxl}","rvd":["HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment\\PROCESSOR_ARCHITECTURE\\ARM64"],"r":["AVAST Software\\Avast","Microsoft\\Windows\\CurrentVersion\\Uninstall\\Avast","Microsoft\\Windows\\CurrentVersion\\Uninstall\\Avast Antivirus","Microsoft\\Windows\\CurrentVersion\\Uninstall\\AVG Antivirus","Microsoft\\Windows\\CurrentVersion\\Uninstall\\{4CB91122-AA85-4431-953C-BEFAEC86DA97}_is1","WebBar","WebDiscoverBrowser","AVG\\Antivirus\\Version","AVG\\AV\\Dir"],"a":["AvastSvc","instup","AvastUI","AVGUI","avguix","AVGSvc","avgsvca"],"ctu":"https://www.avast.com/eula-avast-consumer-products","cp":"https://www.avast.com/privacy-policy","ov":61,"cbfo":true,"avauc":true,"avur":"AvUninstallTimestamp","pv":"1.29","x":12,"disk":2560,"ram":256,"iapp":["chrome.exe"],"v":1}}],"c":""}P
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2288211314.0000000000A55000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -ip:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240423073935&is_silent=true&oc=ZB_RAV_Cross_Tri_NCB&p=1abd&a=100&b=&se=true" -vp:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240423073935&oc=ZB_RAV_Cross_Tri_NCB&p=1abd&a=100&oip=26&ptl=7&dta=true" -dp:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240423073935&oc=ZB_RAV_Cross_Tri_NCB&p=1abd&a=100" -i -v -d -se=true:"RAV, VPN by RAV, Online Security, Safer Web","u":"https://shield.reasonsecurity.com/rsStubActivator.exe","p":"-ip:\"dui={userid}&dit={sessionid}&is_silent=true&oc={of}&p={pubid}&a=100&b={ispb}&se=true\" -vp:\"dui={userid}&dit={sessionid}&oc={of}&p={pubid}&a=100&oip=26&ptl=7&dta=true\" -dp:\"dui={userid}&dit={sessionid}&oc={of}&p={pubid}&a=100\" -i -v -d -se=true","r":["ReasonVPN","Microsoft\\Windows\\CurrentVersion\\Uninstall\\ReasonVPN","RAVVPN","Microsoft\\Windows\\CurrentVersion\\Uninstall\\RAVVPN","ReasonLabs\\VPN","Microsoft\\Windows\\CurrentVersion\\Uninstall\\ReasonLabs-VPN","ReasonSaferWeb","Microsoft\\Windows\\CurrentVersion\\Uninstall\\ReasonSaferWeb","SaferWeb","Microsoft\\Windows\\CurrentVersion\\Uninstall\\SaferWeb","ReasonLabs\\DNS","Microsoft\\Windows\\CurrentVersion\\Uninstall\\ReasonLabs-DNS","ReasonUP","RAVAntivirus","Reason\\Reason Antivirus","ReasonLabs\\EPP","Microsoft\\Windows\\CurrentVersion\\Uninstall\\ReasonLabs-EPP","VMware, Inc."],"rvd":["HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment\\PROCESSOR_ARCHITECTURE\\ARM64"],"cmdu":[{"utr":"HKEY_CLASSES_ROOT","utk":"ReasonPersistentStorage","utvn":"AvUninstallTime","utvt":"SZ","umd":7}],"cp":"https://reasonlabs.com/policies","ctu":"https://reasonlabs.com/policies","win64":true,"pv":"1.26","disk":450,"fe":["{commonpf64}\\ReasonLabs\\EPP\\InstallerLib.dll","{commonpf64}\\RAVAntivirus\\AntivirusInstallerLib.dll","{commonpf64}\\RAVAntivirus\\AntivirusInstaller.exe"],"ov":100,"cbfo":true,"x":10,"v":1}},{"ad":{"n":6,"nn":"Low_Ntiles","f":"ZB_AVG_AV_TrustPilot","o":"AVG_AV"},"ps":{"i":"AVG_AV/images/1382/TrustPilot/EN.png","dn":"AVG Anti Virus","u":"AVG_AV/files/1319/avg.zip","p":"/silent /ws /psh:{pxl}","r":["AVAST Software\\Avast","Microsoft\\Windows\\CurrentVersion\\Uninstall\\Avast","Microsoft\\Windows\\CurrentVersion\\Uninstall\\Avast Antivirus","Microsoft\\Windows\\CurrentVersion\\Uninstall\\AVG A
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2288211314.00000000009FD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2649945969.00000000009FD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2277525037.00000000009EC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW[
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2649945969.0000000000A55000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Uninstall\\360TotalSecurity","360TotalSecurity","360Safe","VMware, Inc."],"cp":"https://www.360totalsecurity.com/en/privacy/","ctu":"https://www.360totalsecurity.com/en/license/","pv":"1.26","cbfo":true,"v":1}},{"ad":{"n":"","f":"ZB_Opera_re_V3","o":"Opera_reengaged"},"ps":{"i":"Opera/images/DOTPS-483/EN.png","dn":"Opera","u":"Opera/files/1499/OperaSetup.zip","p":"--silent --allusers=0 --otd=utm.medium:pb,utm.source:ais,utm.campaign:opera_reengaged","c":"opera_reengaged","a":["OperaSetup","OperaSetup.exe","OperaGXSetup.exe","OperaGXSetup"],"ir":["Opera Software"],"rp":["Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\^Opera"],"cp":"https://www.opera.com/he/privacy","ctu":"https://www.opera.com/he/eula/computers","ov":100,"cbfo":true,"pv":"1.34","v":3,"x":3}},{"ad":{"n":9,"nn":"Med_Ntiles","f":"ZB_Avast","o":"AVAST"},"ps":{"i":"AVAST/images/DOTPS-403/EN.png","dn":"Avast Antivirus","u":"AVAST/files/cookie_mmm_irs_ppi_005_888_a.zip","p":"/silent /ws /psh:{pxl}","rvd":["HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment\\PROCESSOR_ARCHITECTURE\\ARM64"],"r":["AVAST Software\\Avast","Microsoft\\Windows\\CurrentVersion\\Uninstall\\Avast","Microsoft\\Windows\\CurrentVersion\\Uninstall\\Avast Antivirus","Microsoft\\Windows\\CurrentVersion\\Uninstall\\AVG Antivirus","Microsoft\\Windows\\CurrentVersion\\Uninstall\\{4CB91122-AA85-4431-953C-BEFAEC86DA97}_is1","WebBar","WebDiscoverBrowser","AVG\\Antivirus\\Version","AVG\\AV\\Dir"],"a":["AvastSvc","instup","AvastUI","AVGUI","avguix","AVGSvc","avgsvca"],"ctu":"https://www.avast.com/eula-avast-consumer-products","cp":"https://www.avast.com/privacy-policy","ov":61,"cbfo":true,"avauc":true,"avur":"AvUninstallTimestamp","pv":"1.29","x":12,"disk":2560,"ram":256,"iapp":["chrome.exe"],"v":1}}],"c":""}
                                Source: BitComet_stats.exe, 00000009.00000002.2719451049.00000000037A6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2288211314.0000000000A1B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.H;
                                Source: BitComet_2.07_setup.exe, 00000006.00000002.2558653762.0000000000548000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\%
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2649945969.0000000000A11000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2277673222.00000000009D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Code={cc}","r":["McAfee\\SiteAdvisor","McAfee\\WebAdvisor","Microsoft\\Windows\\CurrentVersion\\Uninstall\\{35ED3F83-4BDC-4c44-8EC6-6A8301C7413A}"],"rvd":["HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment\\PROCESSOR_ARCHITECTURE\\ARM64"],"cp":"https://www.mcafee.com/consumer/en-us/policy/legal.html","ctu":"https://www.mcafee.com/consumer/en-us/policy/legal.html","pv":"1.23","ov":100,"cbfo":true,"x":2,"iapp":["chrome.exe"],"fe":["{commonappdata}\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\$McRebootA5E6DEAA56$.lnk"],"ud":true,"v":2}},{"ad":{"n":"","f":"ZB_WebcompanionFF_new","o":"Webcompanion2016FF"},"ps":{"dn":"WebCompanion","i":"WebCompanion/images/DOTPS-720/EN.png","u":"WebCompanion/files/Webcompanion2016FF/DOTPS-554/WcInstaller.zip","p":"--silent --homepage=12 --search=2 --partner=IC150206 --searchenbl","r":["Microsoft\\Windows\\CurrentVersion\\Uninstall\\{07244cb4-7c29-488d-b343-735ae0cddfe8}","Lavasoft\\Web Companion","Microsoft\\Windows\\CurrentVersion\\Uninstall\\{8f3e930d-12d6-45f3-8522-b86dd3515c63}"],"cp":"https://webcompanion.com/privacy","ctu":"https://webcompanion.com/terms","ia":["firefox"],"pv":"1.27","x":5,"v":2}},{"ad":{"n":"","f":"ZB_Norton_BRW","o":"AVG_BRW"},"ps":{"i":"NORTON_BRW/images/1494/547x280/EN.png","dn":"Norton Private Browser","u":"NORTON_BRW/files/1471/norton_private_browser_setup.zip","p":"/s /make-default /run_source=\"norton_ppi_is\"","c":"norton","r":["AVG\\Browser\\Installed","AVASTSoftware\\Browser\\Installed","Avira\\Browser\\Installed","Norton\\Browser\\Installed","Piriform\\Browser\\Installed","Microsoft\\Windows\\CurrentVersion\\Uninstall\\Avira Security_is1","Microsoft\\Windows\\CurrentVersion\\Uninstall\\NGC"],"a":["Avira.Spotlight.Service"],"cp":"https://www.nortonlifelock.com/us/en/privacy/","ctu":"https://www.nortonlifelock.com/us/en/legal/license-services-agreement/","pv":"1.29","ov":100,"cbfo":true,"v":3}},{"ad":{"n":"","f":"ZB_WinZip","o":"Winzip19"},"ps":{"dn":"WinZip","i":"WinZip/images/905/EN.png","u":"WinZip/files/1292/winzip28-dci5.zip","p":"/qn","c":"reg","r":["Nico Mak Computing\\WinZip"],"cp":"https://www.winzip.com/win/en/privacy.html","ctu":"https://www.winzip.com/win/en/eula.html","win64":true,"ov":100,"cbfo":true,"pv":"1.23","v":6}},{"ad":{"n":"","f":"ZB_Opera_New_ISV","o":"Opera_new"},"ps":{"i":"Opera/images/DOTPS-717/NCB/EN.png","dn":"Opera","u":"Opera/files/1499/OperaSetup.zip","p":"--silent --allusers=0 --otd=utm.medium:apb,utm.source:ais,utm.campaign:opera_new_a","c":"opera_new_a","a":["OperaSetup","OperaSetup.exe","OperaGXSetup.exe","OperaGXSetup"],"r":["Opera Software"],"cp":"https://www.opera.com/he/privacy","ctu":"https://www.opera.com/he/eula/computers","ov":100,"cbfo":true,"pv":"1.23","v":3,"x":3}},{"ad":{"n":9,"nn":"Med_Ntiles","f":"ZB_Avast_NCH","o":"Avast_NCH"},"ps":{"i":"AVAST/images/DOTPS-403/EN.png","dn":"Avast Antivirus","u":"AVAST/files/cookie_mmm_irs_ppi_005_888_a.zip","p":"/silent /ws /psh:{pxl}","r":["AVAST Software\\Avast","Microsoft\\
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2288211314.0000000000A42000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -ip:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240423073935&is_silent=true&oc=ZB_RAV_Cross_Tri_NCB&p=1abd&a=100&b=&se=true" -vp:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240423073935&oc=ZB_RAV_Cross_Tri_NCB&p=1abd&a=100&oip=26&ptl=7&dta=true" -dp:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240423073935&oc=ZB_RAV_Cross_Tri_NCB&p=1abd&a=100" -i -v -d -se=true:"RAV, VPN by RAV, Online Security, Safer Web","u":"https://shield.reasonsecurity.com/rsStubActivator.exe","p":"-ip:\"dui={userid}&dit={sessionid}&is_silent=true&oc={of}&p={pubid}&a=100&b={ispb}&se=true\" -vp:\"dui={userid}&dit={sessionid}&oc={of}&p={pubid}&a=100&oip=26&ptl=7&dta=true\" -dp:\"dui={userid}&dit={sessionid}&oc={of}&p={pubid}&a=100\" -i -v -d -se=true","r":["ReasonVPN","Microsoft\\Windows\\CurrentVersion\\Uninstall\\ReasonVPN","RAVVPN","Microsoft\\Windows\\CurrentVersion\\Uninstall\\RAVVPN","ReasonLabs\\VPN","Microsoft\\Windows\\CurrentVersion\\Uninstall\\ReasonLabs-VPN","ReasonSaferWeb","Microsoft\\Windows\\CurrentVersion\\Uninstall\\ReasonSaferWeb","SaferWeb","Microsoft\\Windows\\CurrentVersion\\Uninstall\\SaferWeb","ReasonLabs\\DNS","Microsoft\\Windows\\CurrentVersion\\Uninstall\\ReasonLabs-DNS","ReasonUP","RAVAntivirus","Reason\\Reason Antivirus","ReasonLabs\\EPP","Microsoft\\Windows\\CurrentVersion\\Uninstall\\ReasonLabs-EPP","VMware, Inc."],"rvd":["HKLM\\SYSTEM\\Current
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2288211314.00000000009FD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2649945969.00000000009FD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2277525037.00000000009EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2649945969.00000000009B9000.00000004.00000020.00020000.00000000.sdmp, BitComet_stats.exe, 00000009.00000002.2714984634.0000000000853000.00000004.00000020.00020000.00000000.sdmp, BitComet_stats.exe, 00000009.00000002.2714890577.000000000083A000.00000004.00000020.00020000.00000000.sdmp, BitComet_stats.exe, 00000009.00000003.2669426499.0000000000839000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000002.2995644763.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2651888127.0000000000CEB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                                Source: BitComet_stats.exe, 00000009.00000002.2714806434.0000000000813000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWH
                                Source: BitComet.exe, 0000000F.00000003.2654275524.00000246CD006000.00000004.00000020.00020000.00000000.sdmp, BitComet.exe, 0000000F.00000003.2654238400.00000246CCFF7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll)
                                Source: BitComet.exe, 0000000F.00000000.2641241995.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmp, BitComet.exe, 0000000F.00000002.2658160940.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmpBinary or memory string: /\\\?\/\..\\?\UNC\:*:.*.*NULCOM9COM8LPT2LPT1COM5COM4COM7COM6COM1NULCOM3COM2CONAUXPRN.bat.scf.xpi.vbs.scr.com.cmd.pifLPT8LPT7 .LPT9LPT4LPT3LPT6LPT5.ogv.ogm.qt.divx.mpv.m4v.webm.mov.asf.wmv.mpeg.mpg.rmvb.apk.avi.rm.mod.ts.mp3.mid.hlv.ifo.ps.m2ts.pmp.3gp2.scm.f4v.3gp.vob.3g2.3gpp.wv.mpa.dff.dsf.vqf.amr.mp2.flac.wma.ogg.mpga.ape.ram.ra.aac.au.tif.tiff.wmf.tga.psd.pic.svgz.svg.pcx.pcd.pct.pict.emf.eps.jp2.jpg2hgfsapfsext2exfat.mds.cuentfs.nrg.rar.bz2.ccd.iso.xpm.xbm.gz.7zrefsext3hfsfuse-rclone`
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2649945969.0000000000A11000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.G,
                                Source: SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3191334764.00000000035C1000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: m"Microsoft\\Windows\\CurrentVersion\\Uninstall\\{4CB91122-AA85-4431-953C-BEFAEC86DA97}_is1","WebBar","WebDiscoverBrowser","AVG\\Antivirus\\Version","AVG\\AV\\Dir"],"rvd":["HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment\\PROCESSOR_ARCHITECTURE\\ARM64"],"a":["AvastSvc","instup","AvastUI","AVGUI","avguix","AVGSvc","avgsvca"],"ctu":"https://www.avast.com/eula-avast-consumer-products","cp":"https://www.avast.com/privacy-policy","ov":61,"cbfo":true,"pv":"1.29","x":13,"disk":2560,"ram":256,"eapp":["chrome.exe"],"v":1}},{"ad":{"n":"","f":"ZB_TotalSecurity_V4","o":"TotalSecurity_AV"},"ps":{"i":"TotalSecurity_AV/images/1127/V4/EN.png","dn":"360 Total Security","u":"TotalSecurity_AV/files/1127/ts360Setup.zip","p":"/s","r":["Microsoft\\Windows\\CurrentVersion\\Uninstall\\360TotalSecurity","360TotalSecurity","360Safe","VMware, Inc."],"cp":"https://www.360totalsecurity.com/en/privacy/","ctu":"https://www.360totalsecurity.com/en/license/","pv":"1.26","cbfo":true,"v":1}},{"ad":{"n":"","f":"ZB_Opera_re_V3","o":"Opera_reengaged"},"ps":{"i":"Opera/images/DOTPS-483/EN.png","dn":"Opera","u":"Opera/files/1499/OperaSetup.zip","p":"--silent --allusers=0 --otd=utm.medium:pb,utm.source:ais,utm.campaign:opera_reengaged","c":"opera_reengaged","a":["OperaSetup","OperaSetup.exe","OperaGXSetup.exe","OperaGXSetup"],"ir":["Opera Software"],"rp":["Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\^Opera"],"cp":"https://www.opera.com/he/privacy","ctu":"https://www.opera.com/he/eula/computers","ov":100,"cbfo":true,"pv":"1.34","v":3,"x":3}},{"ad":{"n":9,"nn":"Med_Ntiles","f":"ZB_Avast","o":"AVAST"},"ps":{"i":"AVAST/images/DOTPS-403/EN.png","dn":"Avast Antivirus","u":"AVAST/files/cookie_mmm_irs_ppi_005_888_a.zip","p":"/silent /ws /psh:{pxl}","rvd":["HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment\\PROCESSOR_ARCHITECTURE\\ARM64"],"r":["AVAST Software\\Avast","Microsoft\\Windows\\CurrentVersion\\Uninstall\\Avast","Microsoft\\Windows\\CurrentVersion\\Uninstall\\Avast Antivirus","Microsoft\\Windows\\CurrentVersion\\Uninstall\\AVG Antivirus","Microsoft\\Windows\\CurrentVersion\\Uninstall\\{4CB91122-AA85-4431-953C-BEFAEC86DA97}_is1","WebBar","WebDiscoverBrowser","AVG\\Antivirus\\Version","AVG\\AV\\Dir"],"a":["AvastSvc","instup","AvastUI","AVGUI","avguix","AVGSvc","avgsvca"],"ctu":"https://www.avast.com/eula-avast-consumer-products","cp":"https://www.avast.com/privacy-policy","ov":61,"cbfo":true,"avauc":true,"avur":"AvUninstallTimestamp","pv":"1.29","x":12,"disk":2560,"ram":256,"iapp":["chrome.exe"],"v":1}}],"c":""}3EL
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeAPI call chain: ExitProcess graph end nodegraph_6-3736
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpProcess information queried: ProcessInformationJump to behavior

                                Anti Debugging

                                barindex
                                Potentially malicious time measurement code found
                                Source: C:\Program Files\BitComet\tools\BitCometService.exeCode function: 8_2_004014408_2_00401440
                                Source: C:\Program Files\BitComet\tools\BitCometService.exeCode function: 8_2_004013D08_2_004013D0
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpProcess queried: DebugPortJump to behavior
                                Source: C:\Program Files\BitComet\tools\BitCometService.exeCode function: 8_2_00401440 rdtsc 8_2_00401440
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeCode function: 9_2_0040D1EB _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_0040D1EB
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00F45110 RegOpenKeyExW,RegQueryValueExW,SetLastError,RegCloseKey,RegCloseKey,GetLastError,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,LoadLibraryExW,GetLastError,13_2_00F45110
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00F34C8E GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,13_2_00F34C8E
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00FD7BC0 VirtualProtect ?,-00000001,00000104,?,?,?,0000001C13_2_00FD7BC0
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeCode function: 9_2_0040A15D IsProcessorFeaturePresent,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcessHeap,GetProcessHeap,HeapAlloc,InterlockedCompareExchange,GetProcessHeap,HeapFree,9_2_0040A15D
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00FBE8FE mov eax, dword ptr fs:[00000030h]13_2_00FBE8FE
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00FC7CF2 mov eax, dword ptr fs:[00000030h]13_2_00FC7CF2
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00FC7CAE mov eax, dword ptr fs:[00000030h]13_2_00FC7CAE
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00FC7C6A mov eax, dword ptr fs:[00000030h]13_2_00FC7C6A
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00FC7D23 mov eax, dword ptr fs:[00000030h]13_2_00FC7D23
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCode function: 25_2_004C4B30 mov eax, dword ptr fs:[00000030h]25_2_004C4B30
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeCode function: 9_2_0040A2BF GetProcessHeap,HeapAlloc,VirtualAlloc,VirtualFree,9_2_0040A2BF
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeProcess token adjusted: DebugJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess token adjusted: Debug
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess token adjusted: Debug
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeCode function: 9_2_0040D1EB _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_0040D1EB
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeCode function: 9_2_0040AB6A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_0040AB6A
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00FA9018 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,13_2_00FA9018
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00FA93F2 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_2_00FA93F2
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00FAD453 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_2_00FAD453
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: 13_2_00FA9586 SetUnhandledExceptionFilter,13_2_00FA9586
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeCode function: 21_2_00007FF7E375E3BC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,21_2_00007FF7E375E3BC
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeCode function: 21_2_00007FF7E3752A10 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,21_2_00007FF7E3752A10
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCode function: 25_2_004B223C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,25_2_004B223C
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCode function: 25_2_004B2437 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,25_2_004B2437
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCode function: 25_2_004DE500 SetUnhandledExceptionFilter,25_2_004DE500
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCode function: 25_2_004B25CA SetUnhandledExceptionFilter,25_2_004B25CA
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCode function: 25_2_004DD170 SetEvent,WaitForSingleObject,CloseHandle,CloseHandle,CloseHandle,SetUnhandledExceptionFilter,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::_Scoped_lock,SafeRWList,25_2_004DD170
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCode function: 25_2_004BBD1F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,25_2_004BBD1F
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeMemory allocated: page read and write | page guardJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exe "C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exe" -ip:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240423073935&is_silent=true&oc=ZB_RAV_Cross_Tri_NCB&p=1abd&a=100&b=&se=true" -vp:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240423073935&oc=ZB_RAV_Cross_Tri_NCB&p=1abd&a=100&oip=26&ptl=7&dta=true" -dp:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240423073935&oc=ZB_RAV_Cross_Tri_NCB&p=1abd&a=100" -i -v -d -se=trueJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exe "C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exe" /affid 91088 PaidDistribution=true CountryCode=USJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeProcess created: C:\Program Files\BitComet\tools\BitCometService.exe "C:\Program Files\BitComet\tools\BitCometService.exe" /regJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeProcess created: C:\Users\user\AppData\Local\Temp\mrybn0ui.exe "C:\Users\user\AppData\Local\Temp\mrybn0ui.exe" /silentJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Program Files\BitComet\BitComet.exeProcess created: C:\Program Files\BitComet\tools\UPNP.exe "C:\Program Files\BitComet\tools\UPNP.exe" -addfw -app BitComet -tcpport 7319 -udpport 7319 -q
                                Source: C:\Program Files\BitComet\BitComet.exeProcess created: C:\Program Files\BitComet\tools\UPNP.exe "C:\Program Files\BitComet\tools\UPNP.exe" -add -app BitComet -lanip 192.168.2.6 -tcpport 7319 -udpport 7319 -q
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess created: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe "C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -i -bn:ReasonLabs -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -dt:10
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess created: unknown unknown
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess created: unknown unknown
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess created: unknown unknown
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess created: unknown unknown
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess created: unknown unknown
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4824 -ip 4824
                                Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 964
                                Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\user\AppData\Local\BitComet\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\user\AppData\Local\BitComet\EBWebView\Crashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=117.0.5938.132 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=117.0.2045.47 --initial-client-data=0x16c,0x170,0x174,0x168,0x140,0x7ffd8ab18e88,0x7ffd8ab18e98,0x7ffd8ab18ea8
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --type=gpu-process --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\BitComet\EBWebView" --webview-exe-name=BitComet.exe --webview-exe-version=2.07 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1792 --field-trial-handle=1796,i,2359236077227598348,11370881663069320587,262144 --enable-features=MojoIpcz /prefetch:2
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\BitComet\EBWebView" --webview-exe-name=BitComet.exe --webview-exe-version=2.07 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=2248 --field-trial-handle=1796,i,2359236077227598348,11370881663069320587,262144 --enable-features=MojoIpcz /prefetch:3
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-GB --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\BitComet\EBWebView" --webview-exe-name=BitComet.exe --webview-exe-version=2.07 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=2980 --field-trial-handle=1796,i,2359236077227598348,11370881663069320587,262144 --enable-features=MojoIpcz /prefetch:8
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\BitComet\EBWebView" --webview-exe-name=BitComet.exe --webview-exe-version=2.07 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --disable-nacl --first-renderer-process --lang=en-GB --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=en_CH" --time-ticks-at-unix-epoch=-1713846190060310 --launch-time-ticks=4632151505 --mojo-platform-channel-handle=3392 --field-trial-handle=1796,i,2359236077227598348,11370881663069320587,262144 --enable-features=MojoIpcz /prefetch:1
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\BitComet\EBWebView" --webview-exe-name=BitComet.exe --webview-exe-version=2.07 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --disable-nacl --lang=en-GB --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=en_CH" --time-ticks-at-unix-epoch=-1713846190060310 --launch-time-ticks=4632449862 --mojo-platform-channel-handle=3708 --field-trial-handle=1796,i,2359236077227598348,11370881663069320587,262144 --enable-features=MojoIpcz /prefetch:1
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\BitComet\EBWebView" --webview-exe-name=BitComet.exe --webview-exe-version=2.07 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --disable-nacl --lang=en-GB --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=en_CH" --time-ticks-at-unix-epoch=-1713846190060310 --launch-time-ticks=4632595052 --mojo-platform-channel-handle=3696 --field-trial-handle=1796,i,2359236077227598348,11370881663069320587,262144 --enable-features=MojoIpcz /prefetch:1
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\BitComet\EBWebView" --webview-exe-name=BitComet.exe --webview-exe-version=2.07 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --disable-nacl --lang=en-GB --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=en_CH" --time-ticks-at-unix-epoch=-1713846190060310 --launch-time-ticks=4632840062 --mojo-platform-channel-handle=3932 --field-trial-handle=1796,i,2359236077227598348,11370881663069320587,262144 --enable-features=MojoIpcz /prefetch:1
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\BitComet\EBWebView" --webview-exe-name=BitComet.exe --webview-exe-version=2.07 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --disable-nacl --disable-gpu-compositing --lang=en-GB --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=en_CH" --time-ticks-at-unix-epoch=-1713846190060310 --launch-time-ticks=4638180191 --mojo-platform-channel-handle=4708 --field-trial-handle=1796,i,2359236077227598348,11370881663069320587,262144 --enable-features=MojoIpcz /prefetch:1
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess created: unknown unknown
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exe "c:\users\user\appdata\local\temp\is-3ddk1.tmp\prod0.exe" -ip:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240423073935&is_silent=true&oc=zb_rav_cross_tri_ncb&p=1abd&a=100&b=&se=true" -vp:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240423073935&oc=zb_rav_cross_tri_ncb&p=1abd&a=100&oip=26&ptl=7&dta=true" -dp:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240423073935&oc=zb_rav_cross_tri_ncb&p=1abd&a=100" -i -v -d -se=true
                                Source: C:\Program Files\BitComet\BitComet.exeProcess created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "c:\program files (x86)\microsoft\edgewebview\application\117.0.2045.47\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=bitcomet.exe --webview-exe-version=2.07 --user-data-dir="c:\users\user\appdata\local\bitcomet\ebwebview" --noerrdialogs --embedded-browser-webview-dpi-awareness=1 --enable-features=mojoipcz --mojo-named-platform-channel-pipe=3708.7216.9049188055043856713
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "c:\program files (x86)\microsoft\edgewebview\application\117.0.2045.47\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=c:\users\user\appdata\local\bitcomet\ebwebview /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=c:\users\user\appdata\local\bitcomet\ebwebview\crashpad --annotation=isofficialbuild=1 --annotation=channel= --annotation=chromium-version=117.0.5938.132 "--annotation=exe=c:\program files (x86)\microsoft\edgewebview\application\117.0.2045.47\msedgewebview2.exe" --annotation=plat=win64 "--annotation=prod=edge webview2" --annotation=ver=117.0.2045.47 --initial-client-data=0x16c,0x170,0x174,0x168,0x140,0x7ffd8ab18e88,0x7ffd8ab18e98,0x7ffd8ab18ea8
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "c:\program files (x86)\microsoft\edgewebview\application\117.0.2045.47\msedgewebview2.exe" --type=gpu-process --noerrdialogs --user-data-dir="c:\users\user\appdata\local\bitcomet\ebwebview" --webview-exe-name=bitcomet.exe --webview-exe-version=2.07 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --gpu-preferences=waaaaaaaaadgaaamaaaaaaaaaaaaaaaaaabgaaaaaaa4aaaaaaaaaaaaaaaeaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaagaaaaaaaaaayaaaaaaaaaagaaaaaaaaacaaaaaaaaaaiaaaaaaaaaa== --mojo-platform-channel-handle=1792 --field-trial-handle=1796,i,2359236077227598348,11370881663069320587,262144 --enable-features=mojoipcz /prefetch:2
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "c:\program files (x86)\microsoft\edgewebview\application\117.0.2045.47\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-gb --service-sandbox-type=none --noerrdialogs --user-data-dir="c:\users\user\appdata\local\bitcomet\ebwebview" --webview-exe-name=bitcomet.exe --webview-exe-version=2.07 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=2248 --field-trial-handle=1796,i,2359236077227598348,11370881663069320587,262144 --enable-features=mojoipcz /prefetch:3
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "c:\program files (x86)\microsoft\edgewebview\application\117.0.2045.47\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.storageservice --lang=en-gb --service-sandbox-type=service --noerrdialogs --user-data-dir="c:\users\user\appdata\local\bitcomet\ebwebview" --webview-exe-name=bitcomet.exe --webview-exe-version=2.07 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=2980 --field-trial-handle=1796,i,2359236077227598348,11370881663069320587,262144 --enable-features=mojoipcz /prefetch:8
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "c:\program files (x86)\microsoft\edgewebview\application\117.0.2045.47\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="c:\users\user\appdata\local\bitcomet\ebwebview" --webview-exe-name=bitcomet.exe --webview-exe-version=2.07 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --disable-nacl --first-renderer-process --lang=en-gb --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=en_ch" --time-ticks-at-unix-epoch=-1713846190060310 --launch-time-ticks=4632151505 --mojo-platform-channel-handle=3392 --field-trial-handle=1796,i,2359236077227598348,11370881663069320587,262144 --enable-features=mojoipcz /prefetch:1
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "c:\program files (x86)\microsoft\edgewebview\application\117.0.2045.47\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="c:\users\user\appdata\local\bitcomet\ebwebview" --webview-exe-name=bitcomet.exe --webview-exe-version=2.07 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --disable-nacl --lang=en-gb --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=en_ch" --time-ticks-at-unix-epoch=-1713846190060310 --launch-time-ticks=4632449862 --mojo-platform-channel-handle=3708 --field-trial-handle=1796,i,2359236077227598348,11370881663069320587,262144 --enable-features=mojoipcz /prefetch:1
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "c:\program files (x86)\microsoft\edgewebview\application\117.0.2045.47\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="c:\users\user\appdata\local\bitcomet\ebwebview" --webview-exe-name=bitcomet.exe --webview-exe-version=2.07 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --disable-nacl --lang=en-gb --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=en_ch" --time-ticks-at-unix-epoch=-1713846190060310 --launch-time-ticks=4632595052 --mojo-platform-channel-handle=3696 --field-trial-handle=1796,i,2359236077227598348,11370881663069320587,262144 --enable-features=mojoipcz /prefetch:1
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "c:\program files (x86)\microsoft\edgewebview\application\117.0.2045.47\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="c:\users\user\appdata\local\bitcomet\ebwebview" --webview-exe-name=bitcomet.exe --webview-exe-version=2.07 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --disable-nacl --lang=en-gb --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=en_ch" --time-ticks-at-unix-epoch=-1713846190060310 --launch-time-ticks=4632840062 --mojo-platform-channel-handle=3932 --field-trial-handle=1796,i,2359236077227598348,11370881663069320587,262144 --enable-features=mojoipcz /prefetch:1
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "c:\program files (x86)\microsoft\edgewebview\application\117.0.2045.47\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="c:\users\user\appdata\local\bitcomet\ebwebview" --webview-exe-name=bitcomet.exe --webview-exe-version=2.07 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --disable-nacl --disable-gpu-compositing --lang=en-gb --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=en_ch" --time-ticks-at-unix-epoch=-1713846190060310 --launch-time-ticks=4638180191 --mojo-platform-channel-handle=4708 --field-trial-handle=1796,i,2359236077227598348,11370881663069320587,262144 --enable-features=mojoipcz /prefetch:1
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exe "c:\users\user\appdata\local\temp\is-3ddk1.tmp\prod0.exe" -ip:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240423073935&is_silent=true&oc=zb_rav_cross_tri_ncb&p=1abd&a=100&b=&se=true" -vp:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240423073935&oc=zb_rav_cross_tri_ncb&p=1abd&a=100&oip=26&ptl=7&dta=true" -dp:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240423073935&oc=zb_rav_cross_tri_ncb&p=1abd&a=100" -i -v -d -se=trueJump to behavior
                                Source: C:\Program Files\BitComet\BitComet.exeProcess created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "c:\program files (x86)\microsoft\edgewebview\application\117.0.2045.47\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=bitcomet.exe --webview-exe-version=2.07 --user-data-dir="c:\users\user\appdata\local\bitcomet\ebwebview" --noerrdialogs --embedded-browser-webview-dpi-awareness=1 --enable-features=mojoipcz --mojo-named-platform-channel-pipe=3708.7216.9049188055043856713
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "c:\program files (x86)\microsoft\edgewebview\application\117.0.2045.47\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=c:\users\user\appdata\local\bitcomet\ebwebview /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=c:\users\user\appdata\local\bitcomet\ebwebview\crashpad --annotation=isofficialbuild=1 --annotation=channel= --annotation=chromium-version=117.0.5938.132 "--annotation=exe=c:\program files (x86)\microsoft\edgewebview\application\117.0.2045.47\msedgewebview2.exe" --annotation=plat=win64 "--annotation=prod=edge webview2" --annotation=ver=117.0.2045.47 --initial-client-data=0x16c,0x170,0x174,0x168,0x140,0x7ffd8ab18e88,0x7ffd8ab18e98,0x7ffd8ab18ea8
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "c:\program files (x86)\microsoft\edgewebview\application\117.0.2045.47\msedgewebview2.exe" --type=gpu-process --noerrdialogs --user-data-dir="c:\users\user\appdata\local\bitcomet\ebwebview" --webview-exe-name=bitcomet.exe --webview-exe-version=2.07 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --gpu-preferences=waaaaaaaaadgaaamaaaaaaaaaaaaaaaaaabgaaaaaaa4aaaaaaaaaaaaaaaeaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaagaaaaaaaaaayaaaaaaaaaagaaaaaaaaacaaaaaaaaaaiaaaaaaaaaa== --mojo-platform-channel-handle=1792 --field-trial-handle=1796,i,2359236077227598348,11370881663069320587,262144 --enable-features=mojoipcz /prefetch:2
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "c:\program files (x86)\microsoft\edgewebview\application\117.0.2045.47\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-gb --service-sandbox-type=none --noerrdialogs --user-data-dir="c:\users\user\appdata\local\bitcomet\ebwebview" --webview-exe-name=bitcomet.exe --webview-exe-version=2.07 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=2248 --field-trial-handle=1796,i,2359236077227598348,11370881663069320587,262144 --enable-features=mojoipcz /prefetch:3
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "c:\program files (x86)\microsoft\edgewebview\application\117.0.2045.47\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.storageservice --lang=en-gb --service-sandbox-type=service --noerrdialogs --user-data-dir="c:\users\user\appdata\local\bitcomet\ebwebview" --webview-exe-name=bitcomet.exe --webview-exe-version=2.07 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=2980 --field-trial-handle=1796,i,2359236077227598348,11370881663069320587,262144 --enable-features=mojoipcz /prefetch:8
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "c:\program files (x86)\microsoft\edgewebview\application\117.0.2045.47\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="c:\users\user\appdata\local\bitcomet\ebwebview" --webview-exe-name=bitcomet.exe --webview-exe-version=2.07 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --disable-nacl --first-renderer-process --lang=en-gb --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=en_ch" --time-ticks-at-unix-epoch=-1713846190060310 --launch-time-ticks=4632151505 --mojo-platform-channel-handle=3392 --field-trial-handle=1796,i,2359236077227598348,11370881663069320587,262144 --enable-features=mojoipcz /prefetch:1
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "c:\program files (x86)\microsoft\edgewebview\application\117.0.2045.47\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="c:\users\user\appdata\local\bitcomet\ebwebview" --webview-exe-name=bitcomet.exe --webview-exe-version=2.07 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --disable-nacl --lang=en-gb --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=en_ch" --time-ticks-at-unix-epoch=-1713846190060310 --launch-time-ticks=4632449862 --mojo-platform-channel-handle=3708 --field-trial-handle=1796,i,2359236077227598348,11370881663069320587,262144 --enable-features=mojoipcz /prefetch:1
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "c:\program files (x86)\microsoft\edgewebview\application\117.0.2045.47\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="c:\users\user\appdata\local\bitcomet\ebwebview" --webview-exe-name=bitcomet.exe --webview-exe-version=2.07 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --disable-nacl --lang=en-gb --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=en_ch" --time-ticks-at-unix-epoch=-1713846190060310 --launch-time-ticks=4632595052 --mojo-platform-channel-handle=3696 --field-trial-handle=1796,i,2359236077227598348,11370881663069320587,262144 --enable-features=mojoipcz /prefetch:1
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "c:\program files (x86)\microsoft\edgewebview\application\117.0.2045.47\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="c:\users\user\appdata\local\bitcomet\ebwebview" --webview-exe-name=bitcomet.exe --webview-exe-version=2.07 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --disable-nacl --lang=en-gb --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=en_ch" --time-ticks-at-unix-epoch=-1713846190060310 --launch-time-ticks=4632840062 --mojo-platform-channel-handle=3932 --field-trial-handle=1796,i,2359236077227598348,11370881663069320587,262144 --enable-features=mojoipcz /prefetch:1
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeProcess created: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe "c:\program files (x86)\microsoft\edgewebview\application\117.0.2045.47\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="c:\users\user\appdata\local\bitcomet\ebwebview" --webview-exe-name=bitcomet.exe --webview-exe-version=2.07 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --disable-nacl --disable-gpu-compositing --lang=en-gb --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=en_ch" --time-ticks-at-unix-epoch=-1713846190060310 --launch-time-ticks=4638180191 --mojo-platform-channel-handle=4708 --field-trial-handle=1796,i,2359236077227598348,11370881663069320587,262144 --enable-features=mojoipcz /prefetch:1
                                Source: BitComet.exe, 0000000F.00000000.2641241995.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmp, BitComet.exe, 0000000F.00000002.2658160940.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmpBinary or memory string: RunningTasksThumbnailTipHelper::ShowThumbnailAtCursorIftmpTrayNotifyWndTrayClockWClassShell_TrayWndTaskbarCreatedTrayIconsystray_hidesystray_animaCtrlSettings: handle saved for remove invalid system tray icon aftrer crash
                                Source: C:\Program Files\BitComet\tools\BitCometService.exeCode function: 8_2_00401000 cpuid 8_2_00401000
                                Source: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,9_2_0040A06A
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: GetLocaleInfoW,13_2_00FC45DA
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,13_2_00FCC65F
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: EnumSystemLocalesW,13_2_00FCC9ED
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: EnumSystemLocalesW,13_2_00FCC952
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: EnumSystemLocalesW,13_2_00FCC907
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,13_2_00FCCA80
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: GetLocaleInfoW,13_2_00FCCCE0
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,13_2_00FCCE06
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,13_2_00FCCFDB
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: GetLocaleInfoW,13_2_00FCCF0C
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: GetLocaleInfoEx,13_2_00FA7E28
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeCode function: EnumSystemLocalesW,13_2_00FC3F6D
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeCode function: EnumSystemLocalesW,21_2_00007FF7E376FCC0
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeCode function: EnumSystemLocalesW,21_2_00007FF7E377C514
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeCode function: GetLocaleInfoEx,_invalid_parameter_noinfo_noreturn,21_2_00007FF7E371FC30
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeCode function: GetLocaleInfoEx,_invalid_parameter_noinfo_noreturn,21_2_00007FF7E3709C90
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeCode function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,21_2_00007FF7E377CC00
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeCode function: GetLocaleInfoEx,21_2_00007FF7E3751AEC
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,21_2_00007FF7E377CA1C
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeCode function: GetLocaleInfoW,21_2_00007FF7E3770258
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeCode function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,21_2_00007FF7E377C1B8
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeCode function: _invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,GetLocaleInfoEx,OutputDebugStringW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,21_2_00007FF7E37089D0
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeCode function: EnumSystemLocalesW,21_2_00007FF7E377C5E4
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCode function: EnumSystemLocalesW,25_2_004C8C63
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,25_2_004D0F41
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCode function: GetLocaleInfoW,25_2_004C91AF
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCode function: EnumSystemLocalesW,25_2_004D11B9
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCode function: EnumSystemLocalesW,25_2_004D1204
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCode function: EnumSystemLocalesW,25_2_004D129F
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,25_2_004D132C
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCode function: GetLocaleInfoW,25_2_004D157C
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,25_2_004D16A5
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCode function: GetLocaleInfoW,25_2_004D17AC
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,25_2_004D1879
                                Source: C:\Program Files\BitComet\BitComet.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                                Source: C:\Program Files\BitComet\BitComet.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpQueries volume information: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\logo.png VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpQueries volume information: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\RAV_Cross.png VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpQueries volume information: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\WebAdvisor.png VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpQueries volume information: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpQueries volume information: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpQueries volume information: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpQueries volume information: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpQueries volume information: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpQueries volume information: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\finish.png VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                                Source: C:\Program Files\BitComet\BitComet.exeQueries volume information: C:\ VolumeInformation
                                Source: C:\Program Files\BitComet\BitComet.exeQueries volume information: C:\ VolumeInformation
                                Source: C:\Program Files\BitComet\BitComet.exeQueries volume information: C:\ VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\rsStubLib.dll VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\rsLogger.dll VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\rsJSON.dll VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\rsAtom.dll VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\Microsoft.Win32.TaskScheduler.dll VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\2d371713\008c8f6e_1700da01\rsStubLib.dll VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeQueries volume information: C:\Program Files\ReasonLabs\EPP\rsJSON.dll VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\805bff08\580d9dd3_4095da01\rsJSON.DLL VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeQueries volume information: C:\Program Files\ReasonLabs\EPP\rsLogger.dll VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\aba0518b\8580bdd3_4095da01\rsLogger.DLL VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeQueries volume information: C:\Program Files\ReasonLabs\EPP\rsAtom.dll VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\7d8c5a0f\562618d2_4095da01\rsAtom.DLL VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Net.Http\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Net.Http.dll VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeQueries volume information: C:\Program Files\ReasonLabs\EPP\rsServiceController.dll VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\5524b724\b882ced3_4095da01\rsServiceController.DLL VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeQueries volume information: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\Trust Protection Lists\manifest.json VolumeInformation
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeQueries volume information: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\WidevineCdm\manifest.json VolumeInformation
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeQueries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeQueries volume information: C:\Windows\System32\spool\drivers\color\sRGB Color Space Profile.icm VolumeInformation
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeQueries volume information: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\MEIPreload\preloaded_data.pb VolumeInformation
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
                                Source: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exeQueries volume information: C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Network\SCT Auditing Pending Reports VolumeInformation
                                Source: C:\Program Files\BitComet\tools\BitCometService.exeCode function: 8_2_00488585 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,8_2_00488585
                                Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exeCode function: 21_2_00007FF7E3776850 _get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,21_2_00007FF7E3776850
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exeCode function: 6_2_004034A5 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,6_2_004034A5
                                Source: C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                                Source: BitComet.exe, 0000000F.00000003.2654344301.00000246CCFE7000.00000004.00000020.00020000.00000000.sdmp, BitComet.exe, 0000000F.00000003.2654305861.00000246CCFDC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: RavLite.exe
                                Source: BitComet.exe, 0000000F.00000003.2654344301.00000246CCFE7000.00000004.00000020.00020000.00000000.sdmp, BitComet.exe, 0000000F.00000003.2654305861.00000246CCFDC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nod32.exe
                                Source: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 Blob
                                Source: C:\Program Files\BitComet\BitComet.exeRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION

                                Stealing of Sensitive Information

                                barindex
                                Yara detected PrivateLoader
                                Source: Yara matchFile source: 8.2.BitCometService.exe.400000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 8.0.BitCometService.exe.400000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 17.0.BitCometService.exe.400000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.2.BitComet_2.07_setup.exe.2997c2d.3.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.2.BitComet_2.07_setup.exe.2c26c59.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.2.BitComet_2.07_setup.exe.2997c2d.3.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 00000008.00000002.2510825818.0000000000401000.00000020.00000001.01000000.00000011.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000008.00000000.2507776107.0000000000401000.00000020.00000001.01000000.00000011.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000002.2559900252.0000000002996000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000011.00000000.2656115134.0000000000401000.00000020.00000001.01000000.00000011.sdmp, type: MEMORY
                                Source: Yara matchFile source: C:\Program Files\BitComet\tools\VideoSnapshot.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\BitComet\tools\BitCometService.exe, type: DROPPED
                                Yara detected PureLog Stealer
                                Source: Yara matchFile source: 18.2.RAVEndPointProtection-installer.exe.20958850000.3.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 18.2.RAVEndPointProtection-installer.exe.20958760000.2.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0000001B.00000003.2758473527.0000000002736000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000003.2627712939.0000000002736000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000012.00000002.3603778711.0000020958852000.00000002.00000001.01000000.00000039.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000003.2628396239.0000000002736000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000003.2626020716.0000000002731000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000003.2740342968.000000000273B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000003.2732590021.0000000002739000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000003.2626687861.0000000002733000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000003.2629767360.0000000002730000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000012.00000002.3604286679.0000020958C8A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000012.00000002.3603171860.0000020958762000.00000002.00000001.01000000.00000038.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000012.00000002.3604286679.0000020958DFC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000003.2744857901.0000000002738000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000003.2735452283.0000000002736000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\rsTime.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\tmp\A7N48WB7\rsJSON.DLL, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsuserSvc.Proxy.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\EDR\rsuser.JSON.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsuser.Client.Messages.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\nslA035.tmp\rsTime.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsDatabase.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsServiceController.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsuser.Utilities.Browsers.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsuser.Extension.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsAtom.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsuserSvc.RPC.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsuser.Needle.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsuserSvc.RPC.JSONInterface.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\EDR\rsuser.Utilities.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsuser.Features.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\nslA035.tmp\rsLogger.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsuser.Scan.OnAccess.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsuser.Protection.Camera.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsuser.Protection.Microphone.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\rsLogger.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsWSCClient.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\nslA035.tmp\rsJSON.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\EDR\rsuser.Loggers.Application.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsBridge.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\EDR\rsuser.Loggers.Application.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsRemediation.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsuser.Scan.Detections.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\InstallerLib.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsuser.Wsc.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\rsJSON.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsExtensionHost.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\tmp\BU6GPN3I\rsLogger.DLL, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\nslA035.tmp\rsDatabase.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsuser.Data.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsuser.Protection.BTScan.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsuser.Protection.Self.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsuser.Protection.Edr.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\mc.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsuser.Scan.Quarantine.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\EDR\rsEDRSvc.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsuser.Updater.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsuser.Scan.OnDemand.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\rsAtom.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsuserSvc.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\EDR\rsEDRLib.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\EDR\rsuser.Utilities.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\tmp\EF17UA5X\rsServiceController.DLL, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsuser.Protection.Ransomware.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsuser.Client.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\nslA035.tmp\rsAtom.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsLogger.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsuser.Loggers.Business.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsHelper.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\tmp\DLXGRDLP\rsAtom.DLL, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsuser.Scan.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsuser.Helper.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\EDR\rsuser.Core.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\rsDatabase.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsuser.API.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsuser.Protection.Programs.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\EDR\rsuser.Core.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsuser.UDI.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsJSON.dll, type: DROPPED
                                Tries to harvest and steal browser information (history, passwords, etc)
                                Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exeFile opened: C:\Users\user\Appdata\Local\Google\Chrome\User Data\Default\Secure Preferences

                                Remote Access Functionality

                                barindex
                                Yara detected PrivateLoader
                                Source: Yara matchFile source: 8.2.BitCometService.exe.400000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 8.0.BitCometService.exe.400000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 17.0.BitCometService.exe.400000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.2.BitComet_2.07_setup.exe.2997c2d.3.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.2.BitComet_2.07_setup.exe.2c26c59.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.2.BitComet_2.07_setup.exe.2997c2d.3.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 00000008.00000002.2510825818.0000000000401000.00000020.00000001.01000000.00000011.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000008.00000000.2507776107.0000000000401000.00000020.00000001.01000000.00000011.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000002.2559900252.0000000002996000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000011.00000000.2656115134.0000000000401000.00000020.00000001.01000000.00000011.sdmp, type: MEMORY
                                Source: Yara matchFile source: C:\Program Files\BitComet\tools\VideoSnapshot.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\BitComet\tools\BitCometService.exe, type: DROPPED
                                Yara detected PureLog Stealer
                                Source: Yara matchFile source: 18.2.RAVEndPointProtection-installer.exe.20958850000.3.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 18.2.RAVEndPointProtection-installer.exe.20958760000.2.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0000001B.00000003.2758473527.0000000002736000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000003.2627712939.0000000002736000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000012.00000002.3603778711.0000020958852000.00000002.00000001.01000000.00000039.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000003.2628396239.0000000002736000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000003.2626020716.0000000002731000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000003.2740342968.000000000273B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000003.2732590021.0000000002739000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000003.2626687861.0000000002733000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000003.2629767360.0000000002730000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000012.00000002.3604286679.0000020958C8A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000012.00000002.3603171860.0000020958762000.00000002.00000001.01000000.00000038.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000012.00000002.3604286679.0000020958DFC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000003.2744857901.0000000002738000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000003.2735452283.0000000002736000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\rsTime.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\tmp\A7N48WB7\rsJSON.DLL, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsuserSvc.Proxy.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\EDR\rsuser.JSON.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsuser.Client.Messages.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\nslA035.tmp\rsTime.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsDatabase.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsServiceController.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsuser.Utilities.Browsers.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsuser.Extension.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsAtom.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsuserSvc.RPC.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsuser.Needle.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsuserSvc.RPC.JSONInterface.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\EDR\rsuser.Utilities.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsuser.Features.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\nslA035.tmp\rsLogger.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsuser.Scan.OnAccess.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsuser.Protection.Camera.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsuser.Protection.Microphone.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\rsLogger.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsWSCClient.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\nslA035.tmp\rsJSON.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\EDR\rsuser.Loggers.Application.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsBridge.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\EDR\rsuser.Loggers.Application.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsRemediation.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsuser.Scan.Detections.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\InstallerLib.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsuser.Wsc.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\rsJSON.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsExtensionHost.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\tmp\BU6GPN3I\rsLogger.DLL, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\nslA035.tmp\rsDatabase.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsuser.Data.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsuser.Protection.BTScan.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsuser.Protection.Self.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsuser.Protection.Edr.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\mc.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsuser.Scan.Quarantine.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\EDR\rsEDRSvc.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsuser.Updater.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsuser.Scan.OnDemand.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\rsAtom.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsuserSvc.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\EDR\rsEDRLib.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\EDR\rsuser.Utilities.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\tmp\EF17UA5X\rsServiceController.DLL, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsuser.Protection.Ransomware.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsuser.Client.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\nslA035.tmp\rsAtom.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsLogger.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsuser.Loggers.Business.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsHelper.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\tmp\DLXGRDLP\rsAtom.DLL, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsuser.Scan.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsuser.Helper.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\EDR\rsuser.Core.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\rsDatabase.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsuser.API.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsuser.Protection.Programs.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\EDR\rsuser.Core.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsuser.UDI.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\ReasonLabs\EPP\rsJSON.dll, type: DROPPED
                                Source: C:\Program Files\BitComet\tools\UPNP.exeCode function: 25_2_004A6D27 __EH_prolog3_GS,socket,WSAIoctl,htons,inet_addr,setsockopt,bind,closesocket,sendto,select,recv,closesocket,25_2_004A6D27

                                Mitre Att&ck Matrix

                                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                                1
                                Software                                		1
                                Scripting                                		1
                                Valid Accounts                                		11
                                Windows Management Instrumentation                                		1
                                Scripting                                		1
                                DLL Side-Loading                                		21
                                Disable or Modify Tools                                		1
                                OS Credential Dumping                                		2
                                System Time Discovery                                		Remote Services1
                                Archive Collected Data                                		1
                                Ingress Tool Transfer                                		Exfiltration Over Other Network Medium1
                                System Shutdown/Reboot
                                CredentialsDomainsDefault Accounts11
                                Native API                                		1
                                DLL Side-Loading                                		1
                                Valid Accounts                                		1
                                Deobfuscate/Decode Files or Information                                		LSASS Memory4
                                File and Directory Discovery                                		Remote Desktop Protocol1
                                Data from Local System                                		2
                                Encrypted Channel                                		Exfiltration Over BluetoothNetwork Denial of Service
                                Email AddressesDNS ServerDomain Accounts14
                                Command and Scripting Interpreter                                		1
                                Valid Accounts                                		11
                                Access Token Manipulation                                		3
                                Obfuscated Files or Information                                		Security Account Manager88
                                System Information Discovery                                		SMB/Windows Admin Shares1
                                Clipboard Data                                		SteganographyAutomated ExfiltrationData Encrypted for Impact
                                Employee NamesVirtual Private ServerLocal Accounts11
                                Scheduled Task/Job                                		34
                                Windows Service                                		34
                                Windows Service                                		2
                                Software Packing                                		NTDS1
                                Query Registry                                		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                                Gather Victim Network InformationServerCloud Accounts12
                                Service Execution                                		11
                                Scheduled Task/Job                                		12
                                Process Injection                                		1
                                Timestomp                                		LSA Secrets191
                                Security Software Discovery                                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                                Domain PropertiesBotnetReplication Through Removable MediaScheduled Task1
                                Registry Run Keys / Startup Folder                                		11
                                Scheduled Task/Job                                		1
                                DLL Side-Loading                                		Cached Domain Credentials71
                                Virtualization/Sandbox Evasion                                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items1
                                Registry Run Keys / Startup Folder                                		43
                                Masquerading                                		DCSync3
                                Process Discovery                                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                                Valid Accounts                                		Proc Filesystem1
                                Application Window Discovery                                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
                                Modify Registry                                		/etc/passwd and /etc/shadow2
                                System Owner/User Discovery                                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron71
                                Virtualization/Sandbox Evasion                                		Network Sniffing1
                                Remote System Discovery                                		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                                Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd11
                                Access Token Manipulation                                		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                                Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task12
                                Process Injection                                		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking
                                Determine Physical LocationsVirtual Private ServerCompromise Hardware Supply ChainUnix ShellSystemd TimersSystemd Timers1
                                Hidden Files and Directories                                		GUI Input CapturePermission Groups DiscoveryReplication Through Removable MediaEmail CollectionProxyExfiltration over USBNetwork Denial of Service

                                Behavior Graph

                                Hide Legend

                                Legend:

                                • Process
                                • Signature
                                • Created File
                                • DNS/IP Info
                                • Is Dropped
                                • Is Windows Process
                                • Number of created Registry Values
                                • Number of created Files
                                • Visual Basic
                                • Delphi
                                • Java
                                • .Net C# or VB.NET
                                • C, C++ or other language
                                • Is malicious
                                • Internet
                                behaviorgraph top1 signatures2 2 Behavior Graph ID: 1430097 Sample: SecuriteInfo.com.Trojan.Ins... Startdate: 23/04/2024 Architecture: WINDOWS Score: 54 128 Antivirus / Scanner detection for submitted sample 2->128 130 Multi AV Scanner detection for dropped file 2->130 132 Multi AV Scanner detection for submitted file 2->132 134 5 other signatures 2->134 11 SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exe 2 2->11         started        14 Uninstall.exe 2->14         started        16 BitComet.exe 2->16         started        19 4 other processes 2->19 process3 dnsIp4 108 SecuriteInfo.com.T...4086.15026.2213.tmp, PE32 11->108 dropped 21 SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp 5 25 11->21         started        110 C:\Users\user\AppData\Local\...\Uninstall.exe, PE32 14->110 dropped 112 C:\Users\user\AppData\Local\...\System.dll, PE32 14->112 dropped 24 Uninstall.exe 14->24         started        122 165.49.3.192 wirulinkZA South Africa 16->122 124 80.250.80.242 WBT-ASRU Russian Federation 16->124 126 98 other IPs or domains 16->126 27 msedgewebview2.exe 16->27         started        29 UPNP.exe 16->29         started        31 UPNP.exe 16->31         started        33 WerFault.exe 19->33         started        file5 process6 file7 92 C:\Users\user\AppData\...\zbShieldUtils.dll, PE32 21->92 dropped 94 C:\Users\user\AppData\Local\...\saBSI.exe, PE32 21->94 dropped 96 C:\Users\user\AppData\...\prod0.exe (copy), PE32 21->96 dropped 104 5 other files (4 malicious) 21->104 dropped 35 prod0.exe 14 5 21->35         started        38 BitComet_2.07_setup.exe 67 140 21->38         started        40 saBSI.exe 21->40         started        48 2 other processes 21->48 98 C:\Users\user\...\RavStub.resources.dll, PE32 24->98 dropped 100 Microsoft.Win32.Ta...duler.resources.dll, PE32 24->100 dropped 102 C:\Users\user\...\RavStub.resources.dll, PE32 24->102 dropped 106 50 other files (49 malicious) 24->106 dropped 138 Installs Task Scheduler Managed Wrapper 24->138 42 msedgewebview2.exe 27->42         started        44 msedgewebview2.exe 27->44         started        46 msedgewebview2.exe 27->46         started        50 6 other processes 27->50 signatures8 process9 file10 70 C:\Users\user\AppData\Local\...\zhtj13rq.exe, PE32 35->70 dropped 72 C:\Users\user\AppData\Local\...\mrybn0ui.exe, PE32 35->72 dropped 52 mrybn0ui.exe 35->52         started        74 C:\Users\user\AppData\...\BitCometService.exe, PE32 38->74 dropped 76 C:\Users\user\AppData\...\BcNsisHelperXP.dll, PE32 38->76 dropped 78 C:\Users\user\AppData\...\BcNsisHelper.dll, PE32 38->78 dropped 82 15 other files (5 malicious) 38->82 dropped 56 BitComet_stats.exe 22 38->56         started        58 BitCometService.exe 1 38->58         started        80 C:\Users\user\AppData\Local\...\installer.exe, PE32+ 40->80 dropped process11 file12 84 C:\Users\user\...\RavStub.resources.dll, PE32 52->84 dropped 86 Microsoft.Win32.Ta...duler.resources.dll, PE32 52->86 dropped 88 C:\Users\user\...\RavStub.resources.dll, PE32 52->88 dropped 90 50 other files (49 malicious) 52->90 dropped 136 Installs Task Scheduler Managed Wrapper 52->136 60 RAVEndPointProtection-installer.exe 52->60         started        signatures13 process14 file15 114 C:\Windows\System32\...\rsKerneluser.sys, PE32+ 60->114 dropped 116 C:\Windows\System32\drivers\rsElam.sys, PE32+ 60->116 dropped 118 C:\Windows\System32\...\rsCamFilter020502.sys, PE32+ 60->118 dropped 120 216 other malicious files 60->120 dropped 140 Installs Task Scheduler Managed Wrapper 60->140 142 Tries to harvest and steal browser information (history, passwords, etc) 60->142 144 Drops large PE files 60->144 146 Hides that the sample has been downloaded from the Internet (zone.identifier) 60->146 64 rsSyncSvc.exe 60->64         started        66 Conhost.exe 60->66         started        signatures16 process17 process18 68 conhost.exe 64->68         started       

                                Screenshots

                                Thumbnails

                                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                                windows-stand

                                Antivirus, Machine Learning and Genetic Malware Detection

                                Initial Sample

                                SourceDetectionScannerLabelLink
                                SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exe45%ReversingLabsWin32.PUA.BitCometBundleInstaller
                                SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exe49%VirustotalBrowse
                                SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exe100%AviraPUA/Agent.uyquw

                                Dropped Files

                                SourceDetectionScannerLabelLink
                                C:\Program Files\BitComet\BitComet.exe3%ReversingLabs
                                C:\Program Files\BitComet\BitComet.exe1%VirustotalBrowse
                                C:\Program Files\BitComet\CrashReport.exe0%ReversingLabs
                                C:\Program Files\BitComet\CrashReport.exe1%VirustotalBrowse
                                C:\Program Files\BitComet\WebView2Loader.dll0%ReversingLabs
                                C:\Program Files\BitComet\WebView2Loader.dll0%VirustotalBrowse
                                C:\Program Files\BitComet\tools\BitCometAgent_1.92.7.9.dll0%ReversingLabs
                                C:\Program Files\BitComet\tools\BitCometAgent_1.92.7.9.dll3%VirustotalBrowse
                                C:\Program Files\BitComet\tools\BitCometBHO_1.5.4.11.dll0%ReversingLabs
                                C:\Program Files\BitComet\tools\BitCometBHO_1.5.4.11.dll0%VirustotalBrowse
                                C:\Program Files\BitComet\tools\BitCometService.exe0%ReversingLabs
                                C:\Program Files\BitComet\tools\BitCometService.exe7%VirustotalBrowse
                                C:\Program Files\BitComet\tools\BitCometToastsNotifier.exe0%ReversingLabs
                                C:\Program Files\BitComet\tools\BitCometToastsNotifier.exe1%VirustotalBrowse
                                C:\Program Files\BitComet\tools\ChromeLauncher.exe0%ReversingLabs
                                C:\Program Files\BitComet\tools\ChromeLauncher.exe1%VirustotalBrowse
                                C:\Program Files\BitComet\tools\UPNP.exe0%ReversingLabs
                                C:\Program Files\BitComet\tools\UPNP.exe11%VirustotalBrowse
                                C:\Program Files\BitComet\tools\Updater.exe9%ReversingLabs
                                C:\Program Files\BitComet\tools\Updater.exe9%VirustotalBrowse
                                C:\Program Files\BitComet\tools\VideoSnapshot.exe0%ReversingLabs
                                C:\Program Files\BitComet\tools\VideoSnapshot.exe0%VirustotalBrowse
                                C:\Program Files\BitComet\uninst.exe0%ReversingLabs
                                C:\Program Files\BitComet\uninst.exe0%VirustotalBrowse
                                C:\Program Files\ReasonLabs\Common\Client\v1.4.2\d3dcompiler_47.dll0%ReversingLabs
                                C:\Program Files\ReasonLabs\Common\Client\v1.4.2\d3dcompiler_47.dll0%VirustotalBrowse
                                C:\Program Files\ReasonLabs\Common\Client\v1.4.2\ffmpeg.dll0%ReversingLabs
                                C:\Program Files\ReasonLabs\Common\Client\v1.4.2\ffmpeg.dll0%VirustotalBrowse
                                C:\Program Files\ReasonLabs\Common\Client\v1.4.2\libEGL.dll0%ReversingLabs
                                C:\Program Files\ReasonLabs\Common\Client\v1.4.2\libEGL.dll0%VirustotalBrowse
                                C:\Program Files\ReasonLabs\Common\Client\v1.4.2\libGLESv2.dll0%ReversingLabs
                                C:\Program Files\ReasonLabs\Common\Client\v1.4.2\libGLESv2.dll0%VirustotalBrowse
                                C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe0%ReversingLabs
                                C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe0%VirustotalBrowse

                                Unpacked PE Files

                                No Antivirus matches

                                Domains

                                No Antivirus matches

                                URLs

                                No Antivirus matches

                                Domains and IPs

                                Contacted Domains

                                No contacted domains info

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                https://sadownload.mcafee.com/products/SA/BSI/bsi_PaidDistribution.xmlXlc%saBSI.exe, 0000000D.00000002.2995644763.0000000000CDE000.00000004.00000020.00020000.00000000.sdmpfalse
                                  https://webcompanion.com/termsSecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2288211314.0000000000A26000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2649945969.0000000000A11000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2277673222.00000000009D1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3184029070.0000000000A2C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2277525037.0000000000A23000.00000004.00000020.00020000.00000000.sdmpfalse
                                    https://www.360totalsecurity.com/en/license/vSecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3195664175.0000000004E80000.00000004.00000020.00020000.00000000.sdmpfalse
                                      https://stats.g.doubleclick.net/g/collectBitComet_stats.exe, 00000009.00000003.2569900816.00000000083B1000.00000004.00000020.00020000.00000000.sdmp, msedgewebview2.exe, 00000020.00000003.2947566246.0000239C0046C000.00000004.00000800.00020000.00000000.sdmpfalse
                                        https://www.mcafee.com/consumer/en-us/polSecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3187426790.0000000002490000.00000004.00001000.00020000.00000000.sdmpfalse
                                          http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0mrybn0ui.exe, 0000000E.00000003.2627712939.0000000002736000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2628396239.0000000002736000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2624821496.0000000002737000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2626020716.0000000002731000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2631416391.0000000002739000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2629256451.0000000002736000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2626687861.0000000002733000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2629767360.0000000002730000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2623098080.0000000002730000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2623933047.000000000273D000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2625390581.0000000002739000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2622602906.000000000273A000.00000004.00000020.00020000.00000000.sdmp, Uninstall.exe, 0000001B.00000003.2758473527.0000000002736000.00000004.00000020.00020000.00000000.sdmpfalse
                                            http://download.bitcomet.com/bitcomet/bitcomet_setup.exeBitComet.exe, 0000000F.00000000.2641241995.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmp, BitComet.exe, 0000000F.00000002.2658160940.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmpfalse
                                              https://sadownload.mcafee.com/products/SA/BSI/bsi_DistributionRules.xml/saBSI.exe, 0000000D.00000003.2663365689.0000000005552000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2663213951.0000000005552000.00000004.00000020.00020000.00000000.sdmpfalse
                                                http://www.bitcomet.com/doc/term-of-use.phpoSecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3183096938.00000000009AA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  https://sadownload.mcafee.com/fsaBSI.exe, 0000000D.00000003.2985082385.0000000000D5A000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2984800590.0000000000D51000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    https://www.mcafee.com/consumer/en-us/pSecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3201229701.000000000757B000.00000004.00001000.00020000.00000000.sdmpfalse
                                                      https://d19smx8nanztd4.cloudfront.net/zbdSecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exe, 00000000.00000003.3209011733.0000000000A3D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exe, 00000000.00000003.2195697304.0000000002530000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3198738373.0000000004F67000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2204765605.0000000003490000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3191334764.0000000003507000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3187426790.000000000252A000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2649646246.0000000004F62000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3187426790.0000000002400000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3201229701.0000000007497000.00000004.00001000.00020000.00000000.sdmpfalse
                                                        https://ampcid.google.com/v1/publisher:getClientIdBitComet_stats.exe, 00000009.00000003.2661175689.0000000003807000.00000004.00000020.00020000.00000000.sdmp, BitComet_stats.exe, 00000009.00000003.2661292177.000000000380B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          https://www.avast.com/eula-avast-consumer-productSecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2277525037.0000000000A23000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            https://cdn.pawns.app/download/sdk/latest/windows/pawns-sdk.dllBitComet.exe, 0000000F.00000000.2641241995.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmp, BitComet.exe, 0000000F.00000002.2658160940.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmpfalse
                                                              https://sadownload.mcafee.com/products/sa/bsi/win/binary/saBSI.exe, 0000000D.00000003.2841061853.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2828873242.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2823686677.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2852436072.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2708933152.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2801306182.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2802730470.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2738684918.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2983403300.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2693002624.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2847271705.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2813260813.0000000005570000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2982230999.0000000005570000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                https://www.remobjects.com/psSecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exe, 00000000.00000003.2201306158.000000007FB40000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exe, 00000000.00000003.2199064536.0000000002670000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000000.2202841770.0000000000401000.00000020.00000001.01000000.00000004.sdmpfalse
                                                                  http://submit.fileshot.net/query/POST3api_versionvl_hashfile_sizeBitComet_2.07_setup.exe, 00000006.00000002.2559900252.0000000002996000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    https://sadownload.mcafee.com/products/SA/BSI/bsi_abtest.xmlsaBSI.exe, 0000000D.00000003.2984036734.0000000005550000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000002.3000926030.0000000005559000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2663279311.0000000000D37000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2984800590.0000000000D3E000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2693002624.000000000555C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2984625000.0000000005555000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2657919267.0000000000D37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      https://shield.reasonsecurity.com/rsStubActivator.exeNSecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3195664175.0000000004EC2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        https://www.innosetup.com/SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exe, 00000000.00000003.2201306158.000000007FB40000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exe, 00000000.00000003.2199064536.0000000002670000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000000.2202841770.0000000000401000.00000020.00000001.01000000.00000004.sdmpfalse
                                                                          https://www.avast.com/privacy-bY&SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2277525037.0000000000A23000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            https://stats.g.doubleclick.net/j/collectBitComet_stats.exe, 00000009.00000003.2661292177.000000000380B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              http://ccsca2021.ocsp-certum.com05SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3191334764.00000000035C1000.00000004.00001000.00020000.00000000.sdmp, BitComet_2.07_setup.exe, 00000006.00000002.2559900252.000000000270A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                ftp://http://%.20s%ddefault%d%.20scopyingBitComet_2.07_setup.exe, 00000006.00000002.2559900252.000000000270A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  https://reasonlabs.com/platform/packages/essential?utm_source=rav_uninstall&utm_medium=home_website_mrybn0ui.exe, 0000000E.00000003.2622602906.000000000273A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    https://www.mcafee.com/consumer/v/wa-how.html;saBSI.exe, 0000000D.00000002.2995644763.0000000000C7D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      http://www.certum.pl/CPS0SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3191334764.00000000035C1000.00000004.00001000.00020000.00000000.sdmp, BitComet_2.07_setup.exe, 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmp, BitComet_2.07_setup.exe, 00000006.00000002.2559900252.0000000002996000.00000004.00000020.00020000.00000000.sdmp, BitComet_2.07_setup.exe, 00000006.00000003.2506417692.000000000321E000.00000004.00000020.00020000.00000000.sdmp, BitComet_2.07_setup.exe, 00000006.00000002.2559900252.000000000270A000.00000004.00000020.00020000.00000000.sdmp, BitComet.exe, 0000000F.00000003.2645391968.00000246CEEF5000.00000004.00001000.00020000.00000000.sdmp, BitComet.exe, 00000010.00000003.2654393263.0000021223EF5000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                        https://apphit.com/?random=1&style=iframemsedgewebview2.exe, 00000023.00000002.2858335248.00000092C1FEF000.00000004.00000010.00020000.00000000.sdmpfalse
                                                                                          https://www.mcafee.com/consumer/v/wa-how.html7saBSI.exe, 0000000D.00000002.2995644763.0000000000C7D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            https://issuetracker.google.com/255411748msedgewebview2.exe, 0000001F.00000003.2752840000.0000663000160000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              https://www.avast.com/privacy-poliSecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2277525037.0000000000A23000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                https://sadownload.mcafee.com/products/SA/BSI/bsi_PartnerDistribution.xmlsaBSI.exe, 0000000D.00000003.2663279311.0000000000D37000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2657893036.0000000000D41000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2984800590.0000000000D3E000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2657919267.0000000000D37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  https://www.winzip.com/win/en/privacy.htmlSecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2649945969.00000000009ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2277673222.00000000009D1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2277525037.00000000009EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3184029070.00000000009F3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2288211314.00000000009ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    https://anglebug.com/7246msedgewebview2.exe, 0000001F.00000003.2752840000.0000663000160000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      http://mirror.com/pub/file.exeBitComet.exe, 0000000F.00000000.2641241995.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmp, BitComet.exe, 0000000F.00000002.2658160940.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmpfalse
                                                                                                        https://unitedstates1.ss.wd.microsoft.us/msedgewebview2.exe, 0000001D.00000003.2808946619.0000028454FAA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          https://sadownload.mcafee.com/products/saemRootsaBSI.exe, 0000000D.00000002.2995644763.0000000000C7D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            https://www.opera.com/he/eula/computersSecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2277469306.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2288211314.0000000000A55000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2277673222.00000000009D1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3191334764.00000000035C1000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3195664175.0000000004E80000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2649945969.0000000000A55000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2288211314.0000000000A42000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              https://www.opera.com/he/eula/computersqSecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2649945969.00000000009ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2277525037.00000000009EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3184029070.00000000009F3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2288211314.00000000009ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                http://127.0.0.1BitComet.exe, 0000000F.00000000.2641241995.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmp, BitComet.exe, 0000000F.00000002.2658160940.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmpfalse
                                                                                                                  https://www.bitcomet.com/client/video-download/OpenBCTPAddPictureLinkDownloadOpenBCTPListon_need_actBitComet.exe, 0000000F.00000000.2641241995.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmp, BitComet.exe, 0000000F.00000002.2658160940.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmpfalse
                                                                                                                    https://www.bitcomet.com/client/install-stats/BitComet_stats.exe, 00000009.00000002.2715053201.0000000000869000.00000004.00000020.00020000.00000000.sdmp, BitComet_stats.exe, 00000009.00000003.2669534223.0000000000868000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      https://d19smx8nanztd4.cloudfront.net/f/WebAdvisor/files/1489/saBSI.zip/SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3195664175.0000000004EE3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        https://sadownload.mcafee.com/products/SA/BSI/bsi_DistributionRulesISB.xmlsaBSI.exe, 0000000D.00000003.2663279311.0000000000D51000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2663397434.0000000000D58000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          https://update.reasonsecurity.com/v2/live-dt:10:rsSyncSvc.exe, 00000015.00000002.2676550953.0000023809B6C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            https://update.reasonsecurity.com/v2/updatemrybn0ui.exe, 0000000E.00000003.2622602906.000000000273A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              https://www.avast.com/privacy-pSecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2277525037.0000000000A23000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                http://anglebug.com/4722msedgewebview2.exe, 0000001F.00000003.2752840000.0000663000160000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  https://www.mcafee.com/consumer/en-us/policy/legal.htmld9e074SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3195664175.0000000004E90000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    https://analytics.apis.mcafee.comhttps://analytics.qa.apis.mcafee.com/mosaic/2.0/product-web/am/v1/rsaBSI.exe, 0000000D.00000000.2596253742.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmp, saBSI.exe, 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpfalse
                                                                                                                                      https://sadownload.mcafee.com/products/SA/BSI/bsi_PartnerDistribution.xml/saBSI.exe, 0000000D.00000003.2663279311.0000000000D51000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2984800590.0000000000D51000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        https://d19smx8nanztd4.cloudfront.net/f/WebAdvisor/files/1489/saBSI.zipQSecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3187426790.0000000002489000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                          https://stats.g.doubleclick.net/g/collect?v=2&BitComet_stats.exe, 00000009.00000003.2569900816.00000000083B1000.00000004.00000020.00020000.00000000.sdmp, msedgewebview2.exe, 00000020.00000003.2947566246.0000239C0046C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            https://www.bitcomet.com/doc/privacy-policy.phpSecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3195664175.0000000004E8B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3191334764.0000000003507000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3187426790.0000000002400000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3201229701.00000000074F6000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3195664175.0000000004EE3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                              https://update.reasonsecurity.com/v2/liversSyncSvc.exe, 00000015.00000002.2676550953.0000023809B6C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                https://analytics.apis.mcafee.com/saBSI.exe, 0000000D.00000002.2995644763.0000000000CDE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  https://www.avast.com/privacy-poSecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2277525037.0000000000A23000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    https://sadownload.mcafee.com/products/SA/v1/bsisaBSI.exe, 0000000D.00000003.2984036734.0000000005550000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000002.3000926030.0000000005550000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                      https://www.bitcomet.comkBitComet_stats.exe, 00000009.00000002.2714984634.0000000000853000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        https://www.avast.com/privacy-policVYSecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2277525037.0000000000A23000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          https://github.com/dahall/taskschedulermrybn0ui.exe, 0000000E.00000003.2623933047.000000000273D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            https://sadownload.mcafee.com/products/sa/bsi/win/binarysaBSI.exe, 0000000D.00000003.2984036734.0000000005550000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              https://d19smx8nanztd4.cloudfront.net/f/WebAdvisor/files/1489/saBSI.zipNSecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3195664175.0000000004EE3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                https://www.avast.com/eula-avast-conSecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2277525037.0000000000A23000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                  https://www.winzip.com/win/en/eula.htmlSecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2277673222.00000000009D1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                    http://html4/loose.dtdBitComet_2.07_setup.exe, 00000006.00000002.2559900252.0000000002996000.00000004.00000020.00020000.00000000.sdmp, BitComet_2.07_setup.exe, 00000006.00000003.2506417692.000000000321E000.00000004.00000020.00020000.00000000.sdmp, BitCometService.exe, 00000008.00000000.2507909936.0000000000596000.00000002.00000001.01000000.00000011.sdmp, BitCometService.exe, 00000008.00000002.2510943819.0000000000596000.00000002.00000001.01000000.00000011.sdmp, BitComet.exe, 0000000F.00000000.2641241995.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmp, BitComet.exe, 0000000F.00000002.2658160940.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmpfalse
                                                                                                                                                                      http://127.0.0.1Note:BitComet.exe, 0000000F.00000000.2641241995.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmp, BitComet.exe, 0000000F.00000002.2658160940.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmpfalse
                                                                                                                                                                        https://www.bitcomet.comBitComet_stats.exe, 00000009.00000003.2661292177.000000000380B000.00000004.00000020.00020000.00000000.sdmp, BitComet.exe, 0000000F.00000000.2641241995.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmp, BitComet.exe, 0000000F.00000002.2658160940.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmpfalse
                                                                                                                                                                          http://crl.certum.pl/ctsca2021.crl0oSecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3191334764.00000000035C1000.00000004.00001000.00020000.00000000.sdmp, BitComet_2.07_setup.exe, 00000006.00000002.2559900252.0000000002996000.00000004.00000020.00020000.00000000.sdmp, BitComet_2.07_setup.exe, 00000006.00000003.2506417692.000000000321E000.00000004.00000020.00020000.00000000.sdmp, BitComet_2.07_setup.exe, 00000006.00000002.2559900252.000000000270A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                            http://www.bitcomet.com/doc/term-of-use.phpSecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3195664175.0000000004E8B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3191334764.0000000003507000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3184029070.0000000000A5A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3187426790.0000000002400000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3201229701.00000000074F6000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2649945969.0000000000A55000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                              https://www.mcafee.com/consumer/eSecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3187426790.000000000249C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                http://ocsp.sectigo.com0mrybn0ui.exe, 0000000E.00000003.2627712939.0000000002736000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2628396239.0000000002736000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2624821496.0000000002737000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2626020716.0000000002731000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2631416391.0000000002739000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2629256451.0000000002736000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2626687861.0000000002733000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2629767360.0000000002730000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2623098080.0000000002730000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2623933047.000000000273D000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2625390581.0000000002739000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2622602906.000000000273A000.00000004.00000020.00020000.00000000.sdmp, Uninstall.exe, 0000001B.00000003.2758473527.0000000002736000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                  https://update-beta.reasonsecurity.com/v2/livemrybn0ui.exe, 0000000E.00000003.2622602906.000000000273A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                    https://sadownload.mcafee.com/products/SA/BSI/Win/binary/4.1.0/update_bsi_self.xml/saBSI.exe, 0000000D.00000003.2663279311.0000000000D51000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2984800590.0000000000D51000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                      https://www.avast.com/eula-avast-cSecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2277525037.0000000000A23000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                        https://www.bitcomet.com/client/install-stats/?l=en_us&file=BitComet_2.07_setup.exe&p=x64-BitComet_stats.exe, 00000009.00000002.2714407029.00000000007BE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                          https://www.bitcomet.com/client/install-stats/?l=en_us&file=BitComet_2.07_setup.exe&p=x64d=GA1.2.197BitComet_stats.exe, 00000009.00000002.2715138179.00000000008A3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                            https://reasonlabs.com/policiest.net/f/RAV_Triple_NCB/images/DOTPS-855/EN.png7SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2288211314.0000000000A42000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                              http://anglebug.com/5007msedgewebview2.exe, 0000001F.00000003.2752840000.0000663000160000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                http://submit.fileshot.net/torrent/BitComet_2.07_setup.exe, 00000006.00000002.2559900252.0000000002996000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  https://reasonlabs.com/policiesm/rsStubActivator.exeSecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2288211314.0000000000A3A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    https://www.mcafee.com/consumer/v/wa-how.html4%saBSI.exe, 0000000D.00000002.2995644763.0000000000C7D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      https://system.data.sqlite.org/Xmrybn0ui.exe, 0000000E.00000003.2624821496.0000000002737000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        https://issuetracker.google.com/issues/166475273msedgewebview2.exe, 0000001F.00000003.2752840000.0000663000160000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#mrybn0ui.exe, 0000000E.00000003.2627712939.0000000002736000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2628396239.0000000002736000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2624821496.0000000002737000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2626020716.0000000002731000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2631416391.0000000002739000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2629256451.0000000002736000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2626687861.0000000002733000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2629767360.0000000002730000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2623098080.0000000002730000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2623933047.000000000273D000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2625390581.0000000002739000.00000004.00000020.00020000.00000000.sdmp, mrybn0ui.exe, 0000000E.00000003.2622602906.000000000273A000.00000004.00000020.00020000.00000000.sdmp, Uninstall.exe, 0000001B.00000003.2758473527.0000000002736000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            http://submit.fileshot.net/query/BitComet_2.07_setup.exe, 00000006.00000002.2559900252.0000000002996000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              http://.cssBitComet_2.07_setup.exe, 00000006.00000002.2559900252.0000000002996000.00000004.00000020.00020000.00000000.sdmp, BitComet_2.07_setup.exe, 00000006.00000003.2506417692.000000000321E000.00000004.00000020.00020000.00000000.sdmp, BitCometService.exe, 00000008.00000000.2507909936.0000000000596000.00000002.00000001.01000000.00000011.sdmp, BitCometService.exe, 00000008.00000002.2510943819.0000000000596000.00000002.00000001.01000000.00000011.sdmp, BitComet.exe, 0000000F.00000000.2641241995.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmp, BitComet.exe, 0000000F.00000002.2658160940.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmpfalse
                                                                                                                                                                                                                https://sadownload.mcafee.com/products/SA/BSI/bsi_DistributionRulesISB.xml/saBSI.exe, 0000000D.00000003.2663365689.0000000005552000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 0000000D.00000003.2663213951.0000000005552000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  https://www.avast.com/eula-avast-consSecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2277525037.0000000000A23000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                    https://reasonlabs.com/policiesiveEvent512fbf28020e929d9e0742410ab99d5d2SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3195664175.0000000004EE3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                      http://anglebug.com/4384msedgewebview2.exe, 0000001F.00000003.2752840000.0000663000160000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                        http://www.wxwidgets.orgBitComet.exe, 0000000F.00000000.2641241995.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmp, BitComet.exe, 0000000F.00000002.2658160940.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmp, BitComet.exe, 00000010.00000000.2652080672.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmpfalse
                                                                                                                                                                                                                          https://www.bitcomet.com/client/install-stats/?l=en_us&file=BitComet_2.07_setup.exe&p=x64EBitComet_stats.exe, 00000009.00000002.2714407029.00000000007BE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                            http://cn.bitcomet.com/achive/BitComet_1.20_setup.exemirrorBitComet.exe, 0000000F.00000000.2641241995.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmp, BitComet.exe, 0000000F.00000002.2658160940.00007FF63AC67000.00000002.00000001.01000000.0000001F.sdmpfalse
                                                                                                                                                                                                                              http://repository.certum.pl/ctnca.cer0BitComet.exe, 0000000F.00000003.2645391968.00000246CEEF5000.00000004.00001000.00020000.00000000.sdmp, BitComet.exe, 00000010.00000003.2654393263.0000021223EF5000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                http://subca.ocsp-certum.com05SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3191334764.00000000035C1000.00000004.00001000.00020000.00000000.sdmp, BitComet_2.07_setup.exe, 00000006.00000002.2559900252.0000000002996000.00000004.00000020.00020000.00000000.sdmp, BitComet_2.07_setup.exe, 00000006.00000003.2506417692.000000000321E000.00000004.00000020.00020000.00000000.sdmp, BitComet_2.07_setup.exe, 00000006.00000002.2559900252.000000000270A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                  https://reasonlabs.com/policiesSecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000003.2277525037.0000000000A23000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                    https://update-beta.reasonsecurity.com/v2/updatemrybn0ui.exe, 0000000E.00000003.2622602906.000000000273A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                      http://subca.ocsp-certum.com02SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, 00000002.00000002.3191334764.00000000035C1000.00000004.00001000.00020000.00000000.sdmp, BitComet_2.07_setup.exe, 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmp, BitComet_2.07_setup.exe, 00000006.00000002.2559900252.0000000002996000.00000004.00000020.00020000.00000000.sdmp, BitComet_2.07_setup.exe, 00000006.00000003.2506417692.000000000321E000.00000004.00000020.00020000.00000000.sdmp, BitComet_2.07_setup.exe, 00000006.00000002.2559900252.000000000270A000.00000004.00000020.00020000.00000000.sdmpfalse

                                                                                                                                                                                                                                        World Map of Contacted IPs

                                                                                                                                                                                                                                        • No. of IPs < 25%
                                                                                                                                                                                                                                        • 25% < No. of IPs < 50%
                                                                                                                                                                                                                                        • 50% < No. of IPs < 75%
                                                                                                                                                                                                                                        • 75% < No. of IPs

                                                                                                                                                                                                                                        Public IPs

                                                                                                                                                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                                        121.98.73.37
                                                                                                                                                                                                                                        		unknownNew Zealand
                                                                                                                                                                                                                                        		9790VOCUSGROUPNZVocusGroupNZfalse
                                                                                                                                                                                                                                        152.117.115.162
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		11863PLUUSfalse
                                                                                                                                                                                                                                        95.57.233.38
                                                                                                                                                                                                                                        		unknownKazakhstan
                                                                                                                                                                                                                                        		9198KAZTELECOM-ASKZfalse
                                                                                                                                                                                                                                        185.228.19.37
                                                                                                                                                                                                                                        		unknownGermany
                                                                                                                                                                                                                                        		35913DEDIPATH-LLCUSfalse
                                                                                                                                                                                                                                        46.147.74.91
                                                                                                                                                                                                                                        		unknownRussian Federation
                                                                                                                                                                                                                                        		42116ERTH-NCHLN-ASRUfalse
                                                                                                                                                                                                                                        41.60.238.127
                                                                                                                                                                                                                                        		unknownMauritius
                                                                                                                                                                                                                                        		30844LIQUID-ASGBfalse
                                                                                                                                                                                                                                        211.203.192.131
                                                                                                                                                                                                                                        		unknownKorea Republic of
                                                                                                                                                                                                                                        		9318SKB-ASSKBroadbandCoLtdKRfalse
                                                                                                                                                                                                                                        1.120.183.229
                                                                                                                                                                                                                                        		unknownAustralia
                                                                                                                                                                                                                                        		1221ASN-TELSTRATelstraCorporationLtdAUfalse
                                                                                                                                                                                                                                        85.95.179.151
                                                                                                                                                                                                                                        		unknownRussian Federation
                                                                                                                                                                                                                                        		12389ROSTELECOM-ASRUfalse
                                                                                                                                                                                                                                        50.66.155.252
                                                                                                                                                                                                                                        		unknownCanada
                                                                                                                                                                                                                                        		6327SHAWCAfalse
                                                                                                                                                                                                                                        142.67.113.6
                                                                                                                                                                                                                                        		unknownCanada
                                                                                                                                                                                                                                        		22636NOVA-SCOTIA-POWERCAfalse
                                                                                                                                                                                                                                        113.215.164.232
                                                                                                                                                                                                                                        		unknownChina
                                                                                                                                                                                                                                        		24139WASUHZHuashumediaNetworkLimitedCNfalse
                                                                                                                                                                                                                                        125.140.138.152
                                                                                                                                                                                                                                        		unknownKorea Republic of
                                                                                                                                                                                                                                        		4766KIXS-AS-KRKoreaTelecomKRfalse
                                                                                                                                                                                                                                        65.108.134.122
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		11022ALABANZA-BALTUSfalse
                                                                                                                                                                                                                                        59.102.189.135
                                                                                                                                                                                                                                        		unknownTaiwan; Republic of China (ROC)
                                                                                                                                                                                                                                        		131596TBCOM-NETTBCTWfalse
                                                                                                                                                                                                                                        121.254.0.140
                                                                                                                                                                                                                                        		unknownKorea Republic of
                                                                                                                                                                                                                                        		23563VITSSEN-SUWON-AS-KRTbroadSuwonBroadcastingCorporationKfalse
                                                                                                                                                                                                                                        37.113.39.99
                                                                                                                                                                                                                                        		unknownRussian Federation
                                                                                                                                                                                                                                        		41754ERTH-PENZA-ASRUfalse
                                                                                                                                                                                                                                        37.48.80.232
                                                                                                                                                                                                                                        		unknownNetherlands
                                                                                                                                                                                                                                        		60781LEASEWEB-NL-AMS-01NetherlandsNLfalse
                                                                                                                                                                                                                                        187.201.178.184
                                                                                                                                                                                                                                        		unknownMexico
                                                                                                                                                                                                                                        		8151UninetSAdeCVMXfalse
                                                                                                                                                                                                                                        191.221.202.59
                                                                                                                                                                                                                                        		unknownBrazil
                                                                                                                                                                                                                                        		8167BrasilTelecomSA-FilialDistritoFederalBRfalse
                                                                                                                                                                                                                                        86.88.194.59
                                                                                                                                                                                                                                        		unknownNetherlands
                                                                                                                                                                                                                                        		1136KPNKPNNationalEUfalse
                                                                                                                                                                                                                                        177.33.157.126
                                                                                                                                                                                                                                        		unknownBrazil
                                                                                                                                                                                                                                        		28573CLAROSABRfalse
                                                                                                                                                                                                                                        124.122.129.71
                                                                                                                                                                                                                                        		unknownThailand
                                                                                                                                                                                                                                        		17552TRUE-AS-APTrueInternetCoLtdTHfalse
                                                                                                                                                                                                                                        71.65.54.152
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		10796TWC-10796-MIDWESTUSfalse
                                                                                                                                                                                                                                        185.190.40.180
                                                                                                                                                                                                                                        		unknownRussian Federation
                                                                                                                                                                                                                                        		48043OZYORSK-TELECOM-ASRUfalse
                                                                                                                                                                                                                                        218.74.31.36
                                                                                                                                                                                                                                        		unknownChina
                                                                                                                                                                                                                                        		4134CHINANET-BACKBONENo31Jin-rongStreetCNfalse
                                                                                                                                                                                                                                        86.60.233.170
                                                                                                                                                                                                                                        		unknownFinland
                                                                                                                                                                                                                                        		39699SSPOY-ASFIfalse
                                                                                                                                                                                                                                        220.78.239.80
                                                                                                                                                                                                                                        		unknownKorea Republic of
                                                                                                                                                                                                                                        		4766KIXS-AS-KRKoreaTelecomKRfalse
                                                                                                                                                                                                                                        92.99.18.187
                                                                                                                                                                                                                                        		unknownUnited Arab Emirates
                                                                                                                                                                                                                                        		5384EMIRATES-INTERNETEmiratesInternetAEfalse
                                                                                                                                                                                                                                        120.244.124.94
                                                                                                                                                                                                                                        		unknownChina
                                                                                                                                                                                                                                        		56048CMNET-BEIJING-APChinaMobileCommunicaitonsCorporationCNfalse
                                                                                                                                                                                                                                        187.188.32.85
                                                                                                                                                                                                                                        		unknownMexico
                                                                                                                                                                                                                                        		22884TOTALPLAYTELECOMUNICACIONESSADECVMXfalse
                                                                                                                                                                                                                                        189.90.136.54
                                                                                                                                                                                                                                        		unknownBrazil
                                                                                                                                                                                                                                        		28195Com4DataCenterEireliBRfalse
                                                                                                                                                                                                                                        75.43.182.54
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		7018ATT-INTERNET4USfalse
                                                                                                                                                                                                                                        5.130.84.13
                                                                                                                                                                                                                                        		unknownRussian Federation
                                                                                                                                                                                                                                        		31200NTKIPv6customersRUfalse
                                                                                                                                                                                                                                        78.29.72.26
                                                                                                                                                                                                                                        		unknownRussian Federation
                                                                                                                                                                                                                                        		12389ROSTELECOM-ASRUfalse
                                                                                                                                                                                                                                        79.158.114.17
                                                                                                                                                                                                                                        		unknownSpain
                                                                                                                                                                                                                                        		3352TELEFONICA_DE_ESPANAESfalse
                                                                                                                                                                                                                                        115.219.1.200
                                                                                                                                                                                                                                        		unknownChina
                                                                                                                                                                                                                                        		4134CHINANET-BACKBONENo31Jin-rongStreetCNfalse
                                                                                                                                                                                                                                        108.48.196.230
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		701UUNETUSfalse
                                                                                                                                                                                                                                        111.193.229.199
                                                                                                                                                                                                                                        		unknownChina
                                                                                                                                                                                                                                        		4808CHINA169-BJChinaUnicomBeijingProvinceNetworkCNfalse
                                                                                                                                                                                                                                        46.138.88.161
                                                                                                                                                                                                                                        		unknownRussian Federation
                                                                                                                                                                                                                                        		25513ASN-MGTS-USPDRUfalse
                                                                                                                                                                                                                                        177.38.242.115
                                                                                                                                                                                                                                        		unknownBrazil
                                                                                                                                                                                                                                        		52974HenetTelecomunicacoesLtdaBRfalse
                                                                                                                                                                                                                                        76.136.185.14
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		7922COMCAST-7922USfalse
                                                                                                                                                                                                                                        194.61.1.41
                                                                                                                                                                                                                                        		unknownRussian Federation
                                                                                                                                                                                                                                        		43263SMARTSYSTEMS-ASRUfalse
                                                                                                                                                                                                                                        5.44.8.73
                                                                                                                                                                                                                                        		unknownRussian Federation
                                                                                                                                                                                                                                        		39812KAMENSKTEL-ASPobedyStr37bKamensk-UralskyRUfalse
                                                                                                                                                                                                                                        14.192.214.65
                                                                                                                                                                                                                                        		unknownMalaysia
                                                                                                                                                                                                                                        		9534MAXIS-AS1-APBinariangBerhadMYfalse
                                                                                                                                                                                                                                        165.49.3.192
                                                                                                                                                                                                                                        		unknownSouth Africa
                                                                                                                                                                                                                                        		37564wirulinkZAfalse
                                                                                                                                                                                                                                        82.79.34.216
                                                                                                                                                                                                                                        		unknownRomania
                                                                                                                                                                                                                                        		8708RCS-RDS73-75DrStaicoviciROfalse
                                                                                                                                                                                                                                        86.18.128.215
                                                                                                                                                                                                                                        		unknownUnited Kingdom
                                                                                                                                                                                                                                        		5089NTLGBfalse
                                                                                                                                                                                                                                        80.152.214.170
                                                                                                                                                                                                                                        		unknownGermany
                                                                                                                                                                                                                                        		3320DTAGInternetserviceprovideroperationsDEfalse
                                                                                                                                                                                                                                        118.41.43.68
                                                                                                                                                                                                                                        		unknownKorea Republic of
                                                                                                                                                                                                                                        		4766KIXS-AS-KRKoreaTelecomKRfalse
                                                                                                                                                                                                                                        117.26.251.205
                                                                                                                                                                                                                                        		unknownChina
                                                                                                                                                                                                                                        		133776CHINATELECOM-FUJIAN-QUANZHOU-IDC1QuanzhouCNfalse
                                                                                                                                                                                                                                        95.66.247.92
                                                                                                                                                                                                                                        		unknownRussian Federation
                                                                                                                                                                                                                                        		35645INFOCENTERRUfalse
                                                                                                                                                                                                                                        109.195.20.45
                                                                                                                                                                                                                                        		unknownRussian Federation
                                                                                                                                                                                                                                        		50543SARATOV-ASRUfalse
                                                                                                                                                                                                                                        186.195.147.226
                                                                                                                                                                                                                                        		unknownBrazil
                                                                                                                                                                                                                                        		28669America-NETLtdaBRfalse
                                                                                                                                                                                                                                        176.193.29.60
                                                                                                                                                                                                                                        		unknownRussian Federation
                                                                                                                                                                                                                                        		12714TI-ASMoscowRussiaRUfalse
                                                                                                                                                                                                                                        185.30.229.213
                                                                                                                                                                                                                                        		unknownRussian Federation
                                                                                                                                                                                                                                        		24663COMPLAT-ASRUfalse
                                                                                                                                                                                                                                        122.223.23.132
                                                                                                                                                                                                                                        		unknownJapan2519VECTANTARTERIANetworksCorporationJPfalse
                                                                                                                                                                                                                                        37.236.230.130
                                                                                                                                                                                                                                        		unknownIraq
                                                                                                                                                                                                                                        		50710EARTHLINK-ASIQfalse
                                                                                                                                                                                                                                        109.195.146.32
                                                                                                                                                                                                                                        		unknownRussian Federation
                                                                                                                                                                                                                                        		51035UFA-ASRUfalse
                                                                                                                                                                                                                                        222.120.81.99
                                                                                                                                                                                                                                        		unknownKorea Republic of
                                                                                                                                                                                                                                        		4766KIXS-AS-KRKoreaTelecomKRfalse
                                                                                                                                                                                                                                        178.186.239.149
                                                                                                                                                                                                                                        		unknownRussian Federation
                                                                                                                                                                                                                                        		12389ROSTELECOM-ASRUfalse
                                                                                                                                                                                                                                        52.206.191.209
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		14618AMAZON-AESUSfalse
                                                                                                                                                                                                                                        83.253.41.48
                                                                                                                                                                                                                                        		unknownSweden
                                                                                                                                                                                                                                        		39651COMHEM-SWEDENSEfalse
                                                                                                                                                                                                                                        47.61.33.129
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		12430VODAFONE_ESESfalse
                                                                                                                                                                                                                                        178.120.4.184
                                                                                                                                                                                                                                        		unknownBelarus
                                                                                                                                                                                                                                        		6697BELPAK-ASBELPAKBYfalse
                                                                                                                                                                                                                                        121.145.79.43
                                                                                                                                                                                                                                        		unknownKorea Republic of
                                                                                                                                                                                                                                        		4766KIXS-AS-KRKoreaTelecomKRfalse
                                                                                                                                                                                                                                        78.136.246.216
                                                                                                                                                                                                                                        		unknownRussian Federation
                                                                                                                                                                                                                                        		20730BIKSPLUS-ASRUfalse
                                                                                                                                                                                                                                        113.132.10.110
                                                                                                                                                                                                                                        		unknownChina
                                                                                                                                                                                                                                        		4134CHINANET-BACKBONENo31Jin-rongStreetCNfalse
                                                                                                                                                                                                                                        80.250.80.242
                                                                                                                                                                                                                                        		unknownRussian Federation
                                                                                                                                                                                                                                        		21480WBT-ASRUfalse
                                                                                                                                                                                                                                        14.19.36.4
                                                                                                                                                                                                                                        		unknownChina
                                                                                                                                                                                                                                        		4134CHINANET-BACKBONENo31Jin-rongStreetCNfalse
                                                                                                                                                                                                                                        37.238.192.13
                                                                                                                                                                                                                                        		unknownIraq
                                                                                                                                                                                                                                        		50710EARTHLINK-ASIQfalse
                                                                                                                                                                                                                                        176.197.214.27
                                                                                                                                                                                                                                        		unknownRussian Federation
                                                                                                                                                                                                                                        		39927ELIGHT-ASRUfalse
                                                                                                                                                                                                                                        84.66.45.204
                                                                                                                                                                                                                                        		unknownUnited Kingdom
                                                                                                                                                                                                                                        		5378VodafoneGBfalse
                                                                                                                                                                                                                                        45.164.102.180
                                                                                                                                                                                                                                        		unknownBrazil
                                                                                                                                                                                                                                        		268669BrunoeLemesLTDABRfalse
                                                                                                                                                                                                                                        92.30.212.3
                                                                                                                                                                                                                                        		unknownUnited Kingdom
                                                                                                                                                                                                                                        		13285OPALTELECOM-ASTalkTalkCommunicationsLimitedGBfalse
                                                                                                                                                                                                                                        181.16.69.167
                                                                                                                                                                                                                                        		unknownArgentina
                                                                                                                                                                                                                                        		27984VerTvSAARfalse
                                                                                                                                                                                                                                        59.25.246.121
                                                                                                                                                                                                                                        		unknownKorea Republic of
                                                                                                                                                                                                                                        		4766KIXS-AS-KRKoreaTelecomKRfalse
                                                                                                                                                                                                                                        187.101.180.254
                                                                                                                                                                                                                                        		unknownBrazil
                                                                                                                                                                                                                                        		27699TELEFONICABRASILSABRfalse
                                                                                                                                                                                                                                        212.94.19.140
                                                                                                                                                                                                                                        		unknownRussian Federation
                                                                                                                                                                                                                                        		62440TERRALINK-ASRUfalse
                                                                                                                                                                                                                                        86.45.8.20
                                                                                                                                                                                                                                        		unknownIreland
                                                                                                                                                                                                                                        		5466EIRCOMInternetHouseIEfalse
                                                                                                                                                                                                                                        186.106.217.28
                                                                                                                                                                                                                                        		unknownChile
                                                                                                                                                                                                                                        		7418TELEFONICACHILESACLfalse
                                                                                                                                                                                                                                        188.254.216.23
                                                                                                                                                                                                                                        		unknownBulgaria
                                                                                                                                                                                                                                        		43205BULSATCOM-BG-ASSofiaBGfalse
                                                                                                                                                                                                                                        41.249.64.224
                                                                                                                                                                                                                                        		unknownMorocco
                                                                                                                                                                                                                                        		36903MT-MPLSMAfalse
                                                                                                                                                                                                                                        58.84.60.158
                                                                                                                                                                                                                                        		unknownIndia
                                                                                                                                                                                                                                        		134343OMSAI-ASOmSaiEntertainmentINfalse
                                                                                                                                                                                                                                        191.6.11.131
                                                                                                                                                                                                                                        		unknownBrazil
                                                                                                                                                                                                                                        		262495INOVETELECOMUNICACOESLTDAMEBRfalse
                                                                                                                                                                                                                                        217.131.230.109
                                                                                                                                                                                                                                        		unknownTurkey
                                                                                                                                                                                                                                        		34984TELLCOM-ASTRfalse
                                                                                                                                                                                                                                        86.125.242.196
                                                                                                                                                                                                                                        		unknownRomania
                                                                                                                                                                                                                                        		8708RCS-RDS73-75DrStaicoviciROfalse
                                                                                                                                                                                                                                        143.0.112.135
                                                                                                                                                                                                                                        		unknownBrazil
                                                                                                                                                                                                                                        		262995NETDIGITALTELECOMUNICACOESLTDABRfalse
                                                                                                                                                                                                                                        14.33.178.197
                                                                                                                                                                                                                                        		unknownKorea Republic of
                                                                                                                                                                                                                                        		4766KIXS-AS-KRKoreaTelecomKRfalse
                                                                                                                                                                                                                                        137.74.204.214
                                                                                                                                                                                                                                        		unknownFrance
                                                                                                                                                                                                                                        		16276OVHFRfalse
                                                                                                                                                                                                                                        181.124.8.4
                                                                                                                                                                                                                                        		unknownParaguay
                                                                                                                                                                                                                                        		23201TelecelSAPYfalse
                                                                                                                                                                                                                                        135.19.37.160
                                                                                                                                                                                                                                        		unknownCanada
                                                                                                                                                                                                                                        		5769VIDEOTRONCAfalse
                                                                                                                                                                                                                                        89.149.222.197
                                                                                                                                                                                                                                        		unknownNetherlands
                                                                                                                                                                                                                                        		60781LEASEWEB-NL-AMS-01NetherlandsNLfalse
                                                                                                                                                                                                                                        120.221.80.244
                                                                                                                                                                                                                                        		unknownChina
                                                                                                                                                                                                                                        		24444CMNET-V4SHANDONG-AS-APShandongMobileCommunicationCompanyfalse
                                                                                                                                                                                                                                        85.130.188.160
                                                                                                                                                                                                                                        		unknownIsrael
                                                                                                                                                                                                                                        		8551BEZEQ-INTERNATIONAL-ASBezeqintInternetBackboneILfalse
                                                                                                                                                                                                                                        185.189.102.144
                                                                                                                                                                                                                                        		unknownRussian Federation
                                                                                                                                                                                                                                        		47895R-LINE-ASRUfalse
                                                                                                                                                                                                                                        86.6.66.63
                                                                                                                                                                                                                                        		unknownUnited Kingdom
                                                                                                                                                                                                                                        		5089NTLGBfalse
                                                                                                                                                                                                                                        178.17.193.67
                                                                                                                                                                                                                                        		unknownRussian Federation
                                                                                                                                                                                                                                        		34139TSINET-ASRUfalse
                                                                                                                                                                                                                                        200.100.81.56
                                                                                                                                                                                                                                        		unknownBrazil
                                                                                                                                                                                                                                        		27699TELEFONICABRASILSABRfalse
                                                                                                                                                                                                                                        84.79.210.247
                                                                                                                                                                                                                                        		unknownSpain
                                                                                                                                                                                                                                        		12479UNI2-ASESfalse

                                                                                                                                                                                                                                        General Information

                                                                                                                                                                                                                                        Joe Sandbox version:40.0.0 Tourmaline
                                                                                                                                                                                                                                        Analysis ID:1430097
                                                                                                                                                                                                                                        Start date and time:2024-04-23 07:38:28 +02:00
                                                                                                                                                                                                                                        Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                                        Overall analysis duration:0h 15m 9s
                                                                                                                                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                                        Report type:full
                                                                                                                                                                                                                                        Cookbook file name:default.jbs
                                                                                                                                                                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                                        Run name:Run with higher sleep bypass
                                                                                                                                                                                                                                        Number of analysed new started processes analysed:45
                                                                                                                                                                                                                                        Number of new started drivers analysed:0
                                                                                                                                                                                                                                        Number of existing processes analysed:0
                                                                                                                                                                                                                                        Number of existing drivers analysed:0
                                                                                                                                                                                                                                        Number of injected processes analysed:0
                                                                                                                                                                                                                                        Technologies:
                                                                                                                                                                                                                                        • HCA enabled
                                                                                                                                                                                                                                        • EGA enabled
                                                                                                                                                                                                                                        • AMSI enabled
                                                                                                                                                                                                                                        Analysis Mode:default
                                                                                                                                                                                                                                        Analysis stop reason:Timeout
                                                                                                                                                                                                                                        Sample name:SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exe
                                                                                                                                                                                                                                        Detection:MAL
                                                                                                                                                                                                                                        Classification:mal54.troj.spyw.evad.winEXE@74/754@0/100
                                                                                                                                                                                                                                        EGA Information:
                                                                                                                                                                                                                                        • Successful, ratio: 62.5%
                                                                                                                                                                                                                                        HCA Information:
                                                                                                                                                                                                                                        • Successful, ratio: 92%
                                                                                                                                                                                                                                        • Number of executed functions: 341
                                                                                                                                                                                                                                        • Number of non-executed functions: 152
                                                                                                                                                                                                                                        Cookbook Comments:
                                                                                                                                                                                                                                        • Found application associated with file extension: .exe
                                                                                                                                                                                                                                        • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                                                                                                                                                                                                                                        Warnings

                                                                                                                                                                                                                                        • Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                                                                                                                                                                        • Execution Graph export aborted for target BitCometService.exe, PID 2716 because there are no executed function
                                                                                                                                                                                                                                        • Execution Graph export aborted for target SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp, PID 4824 because there are no executed function
                                                                                                                                                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                                                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtEnumerateValueKey calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                                                                                                        • Skipping network analysis since amount of network traffic is too extensive

                                                                                                                                                                                                                                        Simulations

                                                                                                                                                                                                                                        Behavior and APIs

                                                                                                                                                                                                                                        TimeTypeDescription
                                                                                                                                                                                                                                        07:40:15Task SchedulerRun new task: EPPHealthCheck path: C:\Program Files\ReasonLabs\EPP\Uninstall.exe s>/auto-repair=RavStub
                                                                                                                                                                                                                                        07:41:09AutostartRun: HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce GrpConv grpconv -o
                                                                                                                                                                                                                                        07:41:17API Interceptor4295x Sleep call for process: BitCometService.exe modified
                                                                                                                                                                                                                                        07:42:06Task SchedulerRun new task: VPNHealthCheck path: C:\Program Files\ReasonLabs\VPN\Uninstall.exe s>/auto-repair=ReasonVPNStub

                                                                                                                                                                                                                                        Joe Sandbox View / Context

                                                                                                                                                                                                                                        IPs

                                                                                                                                                                                                                                        No context

                                                                                                                                                                                                                                        Domains

                                                                                                                                                                                                                                        No context

                                                                                                                                                                                                                                        ASNs

                                                                                                                                                                                                                                        No context

                                                                                                                                                                                                                                        JA3 Fingerprints

                                                                                                                                                                                                                                        No context

                                                                                                                                                                                                                                        Dropped Files

                                                                                                                                                                                                                                        No context

                                                                                                                                                                                                                                        Created / dropped Files

                                                                                                                                                                                                                                        C:\Program Files\BitComet\BitComet.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):27769744
                                                                                                                                                                                                                                        Entropy (8bit):6.586209485646042
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:393216:rxfAuGYmJK3KQnGI3XrIUmh61HQ18HrFkaj2avtq/dCa:rxfBGzgaCIph6U8Hydiq
                                                                                                                                                                                                                                        MD5:1E74EE00A40D42C984DA333B5E3CEACE
                                                                                                                                                                                                                                        SHA1:F6418EBAB787264397211F8C867913243C225AAC
                                                                                                                                                                                                                                        SHA-256:46118EEFDC8FF2A77A2BE5A9D4725958DC6C75E4D37668C38FEAD7A140B4EC6C
                                                                                                                                                                                                                                        SHA-512:03FFF555E540B096662BB6E4898AA5658BD3E035CF0547F11682880FC5AB35F683B52D1B5EC1FEB0863F78239F92B16FA84F071C591A2102E28706782931CFC4
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                                                                                                        • Antivirus: Virustotal, Detection: 1%, Browse
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...................................h...........!..L.!This program cannot be run in DOS mode....$.......^.F..z(K.z(K.z(K..-J.z(K.z(K.z(K..,J6x(K...K.z(K...K.z(K...K5z(K..,J.z(K..+J.z(K..-J.z(K...K.z(KH.+J.z(K..-J^z(K..,J\z(K..-J.{(KH.-J.z(KH.,J=z(K...K.z(K...K.z(K...K.z(K...K1z(K.z)K.y(K..!J.x(K...K.z(K.z.K.z(K..*J.z(KRich.z(K........PE..d......e.........."......X...^......l..........@....................................OR....`...................................................l.........H."..@..|U.......'......lX....:.T...................8.:.(...0.:..............p...............................text....V.......X.................. ..`.rdata....u..p....u..\..............@..@.data........Pm.......m.............@....pdata...U...@...V....t.............@..@.detourc.".......$...N..............@..@.detourd............r..............@....rsrc...H."......."..t..............@..@.reloc..lX.......Z...:..............@..B........................................................

                                                                                                                                                                                                                                        C:\Program Files\BitComet\BitComet.url

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:MS Windows 95 Internet shortcut text (URL=<http://www.bitcomet.com/>), ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):50
                                                                                                                                                                                                                                        Entropy (8bit):4.4083674395583765
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:HRAbABGQYm/0S4swgCn:HRYFVm/r4sVCn
                                                                                                                                                                                                                                        MD5:DB92ACDD3CA34962A98787EF93BA720D
                                                                                                                                                                                                                                        SHA1:C1E35D6B82C767652361AA023892314F951FA7F2
                                                                                                                                                                                                                                        SHA-256:9C62EE59333568C5248CB620435BA08BBB2FAF79D08BFD0569B7E66BCF1E62B2
                                                                                                                                                                                                                                        SHA-512:9A037D8C0DA68F64841DD2289F24A5179B2FC0F150B0151C5CF9CB924CFA6AE5077E83704B46EAA07C1E5F629B3B5C12D20D35A746DB2E0A0614FD818370968A
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:[InternetShortcut]..URL=http://www.bitcomet.com/..

                                                                                                                                                                                                                                        C:\Program Files\BitComet\ChangeLog.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:Nim source code, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):238845
                                                                                                                                                                                                                                        Entropy (8bit):4.67290614511301
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:2SJVSo8SDNkTj2Jc+lE/d0R/tn1rI1tjXp7XUvepkrFOtYXoXwwlsgrQNEHF2:R9Zu2Jc+lE/d0R/tn1rI1tjXp7XUvep0
                                                                                                                                                                                                                                        MD5:632DEC77CC3F17118C62C51AC5CF6455
                                                                                                                                                                                                                                        SHA1:E4EFE63F03E2649B4F3C7F4BAB7D6E1B6E03A413
                                                                                                                                                                                                                                        SHA-256:131838B5D0664C19C769EAE3802A918D166D3BF3B312BBDE9FE73C0A874B6138
                                                                                                                                                                                                                                        SHA-512:EDA47F68FB72D8F382AD0A9363F1C9326D3DD8E1871BEA93BBF6A718A970D89DDE96CBF37D71ABFA8841C245943EA1617E68C00CD83B1865904D329179E83C8C
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.changelog..=============================..v2.07 2024.3.5.. GUI Improve: When adding task by click a magnet link, holding down the Ctrl key will not display the new task dialog box and will directly create the task using default parameters.. GUI Improve: The date format of the CometID score history dialog is the same as that of the download list.. GUI Bugfix: When multiple BT tasks selected, the operation of setting long-term seeding in batches does not take effect in time.. Core Improve: Each HTTP task connection uses the original URL to initiate a connection to support redirecting to different CDN offload links.. Core Bugfix: program crash caused by long-term disk cache....v2.06 2024.1.18.. GUI Improve: Improve the task log list to prevent lagging when displaying a large number of logs.. GUI Improve: In expert mode, add the piece cache list and the long-term seeding cache list to the left fav bar.. GUI Improve: In expert mode, add the piece cache size,

                                                                                                                                                                                                                                        C:\Program Files\BitComet\CrashReport.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1949936
                                                                                                                                                                                                                                        Entropy (8bit):6.535711188253392
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:0pRX0/HOKZZ8kwyyE/368yyy/S6XxDzb493jj1TLiiI:q8dZHqSGU93Jo
                                                                                                                                                                                                                                        MD5:AF3A99EFDD6A70F8418431B2DD5DAF10
                                                                                                                                                                                                                                        SHA1:D43721F53A5D62A7AEA22979ABE41A97576E33D0
                                                                                                                                                                                                                                        SHA-256:019C73A89EAF7C0D5A5817F2ACBB3A7556EF08E1C5A465A739701FFB617435EF
                                                                                                                                                                                                                                        SHA-512:3CA7284B0122D58ADBED7C69DC6E842F2D26CD409453D1910D75D73C38464719FCC04BB5B624D5F69E6E93E3BFF9C5BB5851770EF5C4A1D3D1A6B0586EAF6D13
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        • Antivirus: Virustotal, Detection: 1%, Browse
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$....... .Qd...d...d....#7.m....#5.....#4.t.......e.......h.......r.......V...m.E.e...m.U.{...d.......p.......p...r...p.9.e...d.Q.e...p...e...Richd...........................PE..d...k..Z.........."..........0................@..........................................`.....................................................@....`.......p..d...................`...T.......................(.......................h............................text.............................. ..`.rdata...b.......d..................@..@.data....A... ...$..................@....pdata..d....p......."..............@..@.rsrc........`......................@..@.reloc..............................@..B........................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\BitComet\License.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (511), with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3324
                                                                                                                                                                                                                                        Entropy (8bit):4.428609742230892
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:eaZToQacsNGZNMZ0JiCGS+fBpA6zNHUzOE:/oMN80qhDh0zP
                                                                                                                                                                                                                                        MD5:F89B3E6B67B0F87DAA225822C9BC752C
                                                                                                                                                                                                                                        SHA1:2826F2199DCAA3FC60D413B2C0C2F41462E11E99
                                                                                                                                                                                                                                        SHA-256:A4E351B0C180D29D9CA058111E8ED0606556D59E902F0125B1995FC1CF20612B
                                                                                                                                                                                                                                        SHA-512:9BB1AD63A1835FFF6B093D0F0737913BDC4C49E316F208E116E48D2923B7632F3114C39EC652AEE479AB00EC507172E6E0236BB15548891F95CF664CC8A2BC4D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:BitComet Software License Agreement....This agreement is a legal agreement between you and BitComet Development Group (BitComet) with respect to the use of the BitComet Software (Software).....By using the Software, you acknowledge that you and such use are bound by and subject to the provisions of this agreement without modifications. If you do not accept these terms of use in their entirety, you may not access or use the Software.....1. The Software is being licensed to you free of charge for your private personal use only. The Software is licensed, not sold. You may use the Software for non-commercial purposes only.....2. You may not use the Software in support of any commercial entity or activity without the express written agreement of BitComet. By way of example, and not as a limitation, charging others to use the Software either directly or indirectly, using the Software to sell any goods or services. ....3. The Software is protected by copyright laws and international copyright

                                                                                                                                                                                                                                        C:\Program Files\BitComet\ReadMe.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3925
                                                                                                                                                                                                                                        Entropy (8bit):4.750284711607116
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:eHWT+aHroH2/uIAyRzDJzx7ZRDz+cGLFCkrSS812WLlFms6pOh49lC8oDfzMEclc:sWDUH2/3DJzx7XnG7TRrKrAES9Ls9/
                                                                                                                                                                                                                                        MD5:2A91DA2F6A8A22FF3F13334E5A13F448
                                                                                                                                                                                                                                        SHA1:94D8B24641EF523E95611C859DB3A4C6B2A23E46
                                                                                                                                                                                                                                        SHA-256:FF0A7622EC073E373206B08B5B39410F7CBC6D5B69CEECA48E825D2D8C514D0F
                                                                                                                                                                                                                                        SHA-512:B25A6DCC716280310F937E36B9D47D0667F4198DED781087691B0F20BFC06268D3EA9BF91E1C0091E006F7D6755269614F55C79D4593F78FC2E86EEA2A7ED298
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:BitComet Readme..--------------------------------------------------..Bitcomet is a p2p file-sharing freeware fully compatible with BitTorrent, designed for the high-speed distribution of 100MB or GB sized files. ..BitComet is a easy-to-use multi-torrent client for Win32 platforms, along with lots of improvements. Support download certain files within torrent, ..disk cache, fast resume, port mapping, speed limits, etc. Small, clean, and fast. No adware or spyware.....Feature..--------------------------------------------------..1. Clean and free, without any adware or spyware. ..2. Completely new core written in C++, stable and fast, very low CPU usage...3. Multiple simultaneous downloads, ability to select download files in one torrent and set file priority. ..4. Ability to limit the upload speed as well as download speed. ..5. Intelligent Connection Optimize, Auto Optimization for different connections, runs well using all default settings. ..6. Intelligent Rate Control, optimize

                                                                                                                                                                                                                                        C:\Program Files\BitComet\WebView2Loader.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):158648
                                                                                                                                                                                                                                        Entropy (8bit):6.175093839791051
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:R8AhKsY0iHlDhvlUQN2gWNZ6hVThFEtqQbucPqAJwU:usY0+lNv6E2JYEtzbuuV
                                                                                                                                                                                                                                        MD5:577F05CD683ED0577F6C970EA57129E0
                                                                                                                                                                                                                                        SHA1:AEDF54A8976F0F8FF5588447C344595E3C468925
                                                                                                                                                                                                                                        SHA-256:7127F20DAA0A0A74E120AB7423DD1B30C45908F8EE929F0C6CD2312B41C5BDDF
                                                                                                                                                                                                                                        SHA-512:2D1AEA243938A6A1289CF4EFCD541F28AB370A85EF05ED27B7B6D81CE43CEA671E06A0959994807923B1DFEC3B382EE95BD6F9489B74BBA59239601756082047
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....c.........." .....B..........`D..............................................g.....`A....................................................(............@.......D...'..........4...T.......................(....a..8.......................`....................text...5A.......B.................. ..`.rdata.......`.......F..............@..@.data........ ......................@....pdata.......@......................@..@.00cfg..(....`......................@..@.gxfg...p....p......................@..@.retplne\................................tls.................0..............@....voltbl.D............2.................._RDATA...............4..............@..@.rsrc................6..............@..@.reloc...............<..............@..B........................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\BitComet\ip2location\ip2location.bin

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):4975449
                                                                                                                                                                                                                                        Entropy (8bit):4.611367659584351
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:tcboOq2aSfwA1WedpStC/8n0Sn5Y+4Nf+HJRMKXPSP02x1x7uOQ96k0N:tcUCa8Q085Z4NfUEoU
                                                                                                                                                                                                                                        MD5:339F832E5C73A8ACEADAF721D47CBFC5
                                                                                                                                                                                                                                        SHA1:E59E47D06DF00C1553DEBBA3A57C2A218F24A761
                                                                                                                                                                                                                                        SHA-256:39C429FF8CCFC055B4B9AB0935BCCBD54E1554F94E00B03E63E6D32C70284043
                                                                                                                                                                                                                                        SHA-512:1B1463450F1592B2A9DE7FAF729438F7E807D0DE9424B361D275200DAB7B8A8F6A54721F6C468C6FE8AF9439DA4FF3EB429F2EED49E00F6E7300FF00A4088201
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.....+...A...-.....%.A...A..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\BitComet\lang\HowTo-Translate.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):4876
                                                                                                                                                                                                                                        Entropy (8bit):3.976806378598989
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:xEH0b0R60R40Rlg0Rq0Ra0RK0RQ0R90R60R10RH0Res0RB0RR0R50R80Rj0RZa07:2zljXwRrQ1eyf
                                                                                                                                                                                                                                        MD5:DCDEE7D1FFB80E2728939933A94FDD64
                                                                                                                                                                                                                                        SHA1:AF11A2CB19DD6D24DD3179B955DBD8805644D12A
                                                                                                                                                                                                                                        SHA-256:1978838F43DCAC78B9D899A3C5129F04F7238769EF0C2365E1618E4F22E976DA
                                                                                                                                                                                                                                        SHA-512:79E058CA5D5EF912E6F3C2AD61F3D07BDF9093E0956DB5CEEF47862DFAC844BA4F3B7DF6084033E08B0AA3AAD7E772BA7A7AE96258A92AFF49CF5E4A391C7D69
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:You can help us to translate BitComet into your own language.....1. Please visit http://www.bbcomet.com/projects/bitcomet/ and try to translate on the web.....2. After finish translation, you can download .mo file from the website, and save it to this folder.. to have a try. BitComet will load it after restart.....3. When the next release of BitComet, we will merge your translation into the install package.....Thank you for your support...........Language list supported by BitComet:.... Language -> Language File Name..==================================================..Albanian -> bitcomet-sq.mo..Arabic -> bitcomet-ar.mo..Armenian -> bitcomet-hy.mo..Azeri -> bitcomet-az.mo *** (see note)..Basque -> bitcomet-eu.mo..Bengali -> bitcomet-bn.mo *** (see note)..Bosnian -> bitcomet-bs.mo..Bulgarian

                                                                                                                                                                                                                                        C:\Program Files\BitComet\lang\bitcomet-ar.mo

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:GNU message catalog (little endian), revision 0.0, 1619 messages, Project-Id-Version: BitCometGUI '\330\247\331\204\331\205\331\204\331\201 \330\247\331\204\330\260\331\212 \330\252\331\205 \330\252\331\206\330\262\331\212\331\204\331\207 \331\205\331\201\331\202\331\210\330\257.'
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):179258
                                                                                                                                                                                                                                        Entropy (8bit):5.739299449692993
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:WNXNEh4ZajgDqLyXo7KBkJ7ZZ3hcRrF95494IL7RKmByZrkErAcjGYEeIgdBD5of:cZajfT4iga
                                                                                                                                                                                                                                        MD5:8DC1F284380CE71DFB73937ACEA62C81
                                                                                                                                                                                                                                        SHA1:E465E5B4FD72DECC40DA8D9EC6F2B2BC706FC80A
                                                                                                                                                                                                                                        SHA-256:99BB04C9B2478DE1AEA2FA818E46E09ACE42E9B1931B0AF0A7474328D61908C4
                                                                                                                                                                                                                                        SHA-512:AD2812A1DAE98C4140ECC4B4D821CF06D79B0F351D0407179C6FA0118F7B4413DCA6C8E1D0C6CE4C30D4A6F82865157C6F3DAF55B22A9DEA2080C34CC81E7364
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........S........2..q...Le..........&...........8...$...M...%...r..."......................=......"...0.......S...'...l...>.......I......".......&...@...7...g...........%.......6.......P.......S...h...\.......@.......:...Z...4.......8......>.......<...B...B.......$.....................#...&.......J.......f...........!....... ......!..................'.......G.......f..................................$......"...........*.......>.......Y.......v...................................................../.......L.......e....................................................../.......G.......d.......................................... ......."...<......._.......}...7...&...2...^...P.......E......6...(......._.......m.......|............................................................................................(.......5.......Q......._.......}.................................................6..........(.......3.......?.......N......._.......j.......u...........'.......&...

                                                                                                                                                                                                                                        C:\Program Files\BitComet\lang\bitcomet-bg.mo

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:GNU message catalog (little endian), revision 0.0, 2545 messages, Project-Id-Version: BitCometGUI '\320\230\320\274\320\277\320\276\321\200\321\202\320\270\321\200\320\260\320\275\320\265 \320\275\320\260 DHT \321\202\320\276\321\200\320\265\320\275\321\202\320\270'
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):316914
                                                                                                                                                                                                                                        Entropy (8bit):5.666795008919683
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:7XO90neE/YeANdDv0XXu299XQdkgnDn1XM/waHUNHvCK2TAauWv3qm:7X+Rnrv29FQdkk1XM/waHUF6K2TAyv37
                                                                                                                                                                                                                                        MD5:6F715403B746BDA39FEEBA4CAEEB0410
                                                                                                                                                                                                                                        SHA1:EF58893EC2AA97A49EB2467250BDB6C509678582
                                                                                                                                                                                                                                        SHA-256:D2C44371C0D4C24670051F9C3B716F84CFB3D1EB9543909DC23CE3AA786F6B90
                                                                                                                                                                                                                                        SHA-512:39ECABAAF523EF3C128FA3F922392471E5D3F979906014E437D0F6814AFA154E3B5FC2F86B9D8CE8AB52D674A3BBC42F1AD13DB228ECF2240D0BC0D5982DA786
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.................O..O...,.......h...%...i...%.......+.......(.......&.......)...1...#...[...#.......).......&.......$.......'...........A..."...p...;.......&...............$.......!...0...%...R..."...x..................."...............'.......>...6...I...u...".......&...............9...%...<..._...7...............%.......'.......6...=...P...t...S.......\.......@...v...:.......4.......8...'...>...`...<.......B.......$...........D.......`...........#.......................................!...=... ..._...!.......................!...............)...!.......K.......e.......y...........................#.......$......."...9.......\.......p...................".......J...........4.......P.......n.......................................................*.......F.......c...........................8...................+.......C.......`...O...}...............N.......n...=...................................#... ...C..."...d...........P.......E.......6...<.......s.......................................

                                                                                                                                                                                                                                        C:\Program Files\BitComet\lang\bitcomet-bs.mo

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:GNU message catalog (little endian), revision 0.0, 226 messages, Project-Id-Version: BitCometGUI 'Gre\305\241ka pri otvaranju torrenta'
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17394
                                                                                                                                                                                                                                        Entropy (8bit):5.28120117659183
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:QLutcjsJte7/lNvwFIlDyXo7KkJusaeINm31GnjfWvo:xtwktG/ldlDyXo7KkJvaetuOA
                                                                                                                                                                                                                                        MD5:16484FF35831E513CE54BB81F75EA1D8
                                                                                                                                                                                                                                        SHA1:9B381519293B46F2BA28BF12623D99B21DC9F6B2
                                                                                                                                                                                                                                        SHA-256:2C81FEBF21A11200B202A86DC653B82B40CE1270DBAD2B8FF6678A52CABDF45D
                                                                                                                                                                                                                                        SHA-512:A0D4E5B9989EFA3A94026734FD5DF5F59A7675081BF06F2C27B44953674E7EF686CA8236F9A287BD3AA0569725A0DECF1EEDF9DFC4C67F8C29A69AC4E6AB3F88
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................,...3...<...........$.......%......."...T.......w...>.......I.......&... .......G...%...b...6.......P.......S...........d.......r.......}...................................................................................7...........D......._...L...~...............................................8.......V.......t...#...................................................=..."...\........... .......*.......%.......!......."...2.......U...#...u.......................................................,.......E.......d..........................."......."...............-...;...O...i...........................!.......%...2...%...X...$...~...6.......!.......".......#.......A...C...........................................................#...8.......\...'...y...*.......;.......;.......@...D...!.......!.......+.......M...........C ..*...r ..(.... ..(.... ..+.... ..&....!..+...B!..)...n!..(....!..&....!..,....!..+....".. ...A".."...b".."...."......."..#...."..&...."..)....#..'...<#..-...

                                                                                                                                                                                                                                        C:\Program Files\BitComet\lang\bitcomet-ca.mo

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:GNU message catalog (little endian), revision 0.0, 421 messages, Project-Id-Version: BitCometGUI 'Ha fallat l'Obertura del Torrent'
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):33735
                                                                                                                                                                                                                                        Entropy (8bit):5.29330825400782
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:gJvzYtJi2/13lDXrn2S3jyORqkqDyXo7kJNvl1xeAoxtfGNQSC+BH/:AuV13lDXrn2S32OR/qDyXo7kJNvPxeAF
                                                                                                                                                                                                                                        MD5:E0DDB43B7CB773F65DD57560103D91C4
                                                                                                                                                                                                                                        SHA1:7EBD19FBC9833D71215939E64D394F588FA76EDD
                                                                                                                                                                                                                                        SHA-256:718B12371EC6542CAFB502831FC3F17E52ED62A88BAF4DF98F246CC83C08F04E
                                                                                                                                                                                                                                        SHA-512:E34F98C429640BE63B6C3DC56A50B2315355081F4B17F5859885B5074B84E3EADFF483530B1D6BF5799DCD584A8ACD839DCBFF9139BECAD1DE6B63C3A20A1791
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................D...3...l.......8#..$...9#..%...^#.."....#.......#..=....#..>....$..I...D$..&....$.......$..%....$..@....$..:...7%..4...r%..$....%.......%.......%.......&......'&..!...F&.. ...h&..!....&.......&.......&.......&.......'.......'......3'......P'......l'.......'.......'.......'.......'.......'.......(......&(......?(......\(......z(.......(.......(.......(.......(.......)......!)......A)......a)..7....)..2....)..P....)..E...;*..6....*.......*.......*.......*.......*.......*.......+.......+.......+......)+......7+......D+......S+......j+......w+.......+.......+.......+.......+.......+.......+..6....+......+,......6,......B,......Q,......b,..'...m,..&....,..$....,..7....,.......-.. ...1-......R-..S...h-.......-..&....-..............".......=...,...\.........../.......#.......I..../..L...V/..-..../......./......./......./.......0.......0......40......O0......m0.......0.......0..4....0.......0..#....1..6...:1..&...q1.......1.......1.......1.......1.......2......*2......C2......

                                                                                                                                                                                                                                        C:\Program Files\BitComet\lang\bitcomet-cs.mo

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:GNU message catalog (little endian), revision 0.0, 930 messages, Project-Id-Version: BitCometGUI 'Selhalo otev\305\231en\303\255 torrentu'
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):85953
                                                                                                                                                                                                                                        Entropy (8bit):5.550252031843765
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:yITUQExX5i1VGHFwZytzlzXrnJS3WODKjWDqLyXo7KBkJ7Zf/Xk8io58eRr03fGw:yCEUGHeZGzzWDqLyXo7KBkJ7Zf/nRr05
                                                                                                                                                                                                                                        MD5:01ED28E68AEC7A7C5C643B2C41F9EC0C
                                                                                                                                                                                                                                        SHA1:D518F747478C0F6D8C2BB07B7143D51D379538FC
                                                                                                                                                                                                                                        SHA-256:F0EF326E0576663CE3B70E260554F174CE8CD9791FF372DEF086B0D3CFD9BEFC
                                                                                                                                                                                                                                        SHA-512:1040CDD61D9DC2EF2CDA02A7EA9B67C46A4B1081C8574CE0DD1FFA7CBECA7772DA9AF996A9335EC4CE607427933E643E1055D09EC66270B24B16878DF64189B9
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................,.......<:.......M..$....M..%....M.."....N....../N..=...ON.......N..'....N..>....N..I....O..&...WO......~O..%....O..\....O..@....P..:...]P..4....P..$....P.......P..#....Q......6Q......RQ......qQ..!....Q.. ....Q..!....Q.......Q.......R......3R......RR......lR.......R.......R.......R.......R.......R.......S......,S......ES......_S......vS.......S.......S.......S.......S.......S.......T......;T......TT......sT.......T.......T.......T.......T.......T.......U......8U......XU......wU.. ....U.."....U.......U.......U..7....W..2....W..P....X..E...^X..6....X.......X.......X.......X.......Y.......Y......&Y......2Y......@Y......LY......ZY......gY......vY.......Y.......Y.......Y.......Y.......Y.......Y.......Z.......Z..6...(Z......_Z......kZ......zZ.......Z.......Z..'....Z..&....Z..#....[..$...8[..7...][.......[.. ....[.......[..S....[......8\..e...X\..&....\.......\.......].......]..,...>]..!...k]..2....].......]../....]..#....^..I...C^..L....^..-....^......._......._......,_......

                                                                                                                                                                                                                                        C:\Program Files\BitComet\lang\bitcomet-da.mo

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:GNU message catalog (little endian), revision 0.0, 566 messages, Project-Id-Version: BitCometGUI 'Downloadet fil mangler'
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):49173
                                                                                                                                                                                                                                        Entropy (8bit):5.3495103985495716
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:FaPX90u3K9Xrnt13COVY1ODyXo7BkJZO9RrxZfLOLXDak1QZTDpKrbFWtYZl3SI:cqu3guODyXo7BkJZO9RrxhLOLXDak1Qi
                                                                                                                                                                                                                                        MD5:3760138D7545FD652ABD090AA93EB5E2
                                                                                                                                                                                                                                        SHA1:F9EA18F84EF9B08B00700BE6AA65B2D9D9D7CA02
                                                                                                                                                                                                                                        SHA-256:7B81D667C03245799B16C30B67517C6D3CB7D60B2BBC058D37C641FF3A30558D
                                                                                                                                                                                                                                        SHA-512:CB1E7B976D1247324DF3A920EDBECCF61A0F63F3EFC532803B5C11DD42AB63B43F22BC50EEE7F5767BBCC2A690067B2CCE02E533370650258C706FC70FC48C13
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........6...............|#......P/..&...Q/......x/..$..../..%..../.."..../......./.......0..=...20......p0..'....0..>....0..I....0..&...:1..7...a1.......1..%....1..6....1..P....2..S...b2..\....2..@....3..:...T3..8....3..>....3..<....4..B...D4.......4.......4.......4.......4..!....5.. ...#5..!...D5......f5.......5.......5.......5.......5.......5.......6......06......L6......j6.......6.......6.......6.......6.......6.......7......#7......@7......`7......y7.......7.......7.......7.......7.......8......+8......K8......j8.. ....8.......8.......8..7...r:..2....:..P....:..E....;..6...t;.......;.......;.......;.......;.......;.......;.......<.......<.......<......'<......5<......B<......Q<......h<......t<.......<.......<.......<.......<.......<.......<.......<.......=......%=..6...3=......j=......v=.......=.......=.......=.......=.......=..'....=..&....>..#...6>..$...Z>..7....>.......>.. ....>.......>..S....?......Z?..e...z?..&....?.......@......&@......A@..,...`@..!....@..2....@..!....@..%...

                                                                                                                                                                                                                                        C:\Program Files\BitComet\lang\bitcomet-de.mo

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:GNU message catalog (little endian), revision 0.0, 2545 messages, Project-Id-Version: BitCometGUI 'Importieren von DHT-Torrents'
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):254564
                                                                                                                                                                                                                                        Entropy (8bit):5.495203396577954
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:7bGCO276s3dzTJ/Y+NP4DqL+yXo7KBk7ZFtNnbrF1tTvDvbvWCuo4sbrO:7XOWtx/YeANdDvbOCb4sPO
                                                                                                                                                                                                                                        MD5:F2387DCA51F4864B7420B01D739BA5B3
                                                                                                                                                                                                                                        SHA1:2AFFA6CD9B20CA093E6B52A9B81A406EE8905229
                                                                                                                                                                                                                                        SHA-256:B89D4A3B111F5563B3C0BEBBF89E000FC118994DCA212B3660339BE7B94B9CE1
                                                                                                                                                                                                                                        SHA-512:70AECE95D32A7C1AD3032E00CC38D6E942D57F4C1856EAA72DEF7563AB61DD3CD7D31EF2021CEB00E5D98C496D1DA32B2701AEE583A1C547D79BACB8EE7695CD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.................O..O...,.......h...%...i...%.......+.......(.......&.......)...1...#...[...#.......).......&.......$.......'...........A..."...p...;.......&...............$.......!...0...%...R..."...x..................."...............'.......>...6...I...u...".......&...............9...%...<..._...7...............%.......'.......6...=...P...t...S.......\.......@...v...:.......4.......8...'...>...`...<.......B.......$...........D.......`...........#.......................................!...=... ..._...!.......................!...............)...!.......K.......e.......y...........................#.......$......."...9.......\.......p...................".......J...........4.......P.......n.......................................................*.......F.......c...........................8...................+.......C.......`...O...}...............N.......n...=...................................#... ...C..."...d...........P.......E.......6...<.......s.......................................

                                                                                                                                                                                                                                        C:\Program Files\BitComet\lang\bitcomet-el.mo

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:GNU message catalog (little endian), revision 0.0, 703 messages, Project-Id-Version: BitCometGUI '\316\244\316\277 \316\272\316\261\317\204\316\265\316\262\316\261\317\203\316\274\316\255\316\275\316\277 \316\261\317\201\317\207\316\265\316\257\316\277 \316\273\316\265\316\257\317\200\316\265\316\271.'
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):66493
                                                                                                                                                                                                                                        Entropy (8bit):5.664557677237806
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:b1Ypdfzi3K9XrnItS3uOODqyXo7KBkJ7ZFrhs20qEMeulNd0Zs/:b1YPfzi3THDqyXo7KBkJ7ZFrhh7N0s/
                                                                                                                                                                                                                                        MD5:7B0785478939E921BACC9AD2B3FA1F2F
                                                                                                                                                                                                                                        SHA1:FE0FF144D3C866A4A9C4C494C798A8D7B286C06A
                                                                                                                                                                                                                                        SHA-256:C59927FD512B6ED15061FB208E4ABD399DFF351FC57158F8D71F8C1333A7AD9F
                                                                                                                                                                                                                                        SHA-512:ECC0FBF70DFDE05944DC7E006E49612C293597001DCF4F78A075F542282DBE4055D911E3CA0E6BB59BC9CC093013F02241E5F42C4411C57D813119F5EA168026
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.........................,.......:..&....:.......:..$....:..%....;.."...8;......[;......{;..=....;.......;..'....;..>....<..I...P<..&....<..7....<.......<..%....=..6...:=..P...q=..S....=..\....>..@...s>..:....>..8....>..>...(?..<...g?..B....?.......?.......@......#@......B@..!...a@.. ....@..!....@.......@.......@.......A......#A......=A......UA......rA.......A.......A.......A.......A.......A.......B.......B......HB......cB.......B.......B.......B.......B.......B.......C......+C......IC......cC......{C.......C.......C.......C.......C.......D....../D.. ...OD.."...pD.......D..7....D..2....D..P....E..6...mE.......E.......E.......E.......E.......E.......E.......E.......F.......F...... F.......F......;F......JF......aF......mF......zF.......F.......F.......F.......F.......F.......F.......F.......G......(G..6...6G......mG......xG.......G.......G.......G.......G.......G..'....G..&....G..#....H..$...9H..7...^H.......H.. ....H.......H.......H..e....I..&...kI.......I.......I.......I..,....I..!...

                                                                                                                                                                                                                                        C:\Program Files\BitComet\lang\bitcomet-en_US.mo

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:GNU message catalog (little endian), revision 0.0, 8 messages, Project-Id-Version: BitCometGUI 'Download &Later'
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):825
                                                                                                                                                                                                                                        Entropy (8bit):5.264360596082375
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:u0UMebQKteDfVt0doEXmN41h1Cjll9LeW:uTPbQKteDfMd0W101eW
                                                                                                                                                                                                                                        MD5:180E7F2D44A75BE32DDFF3F1873011A4
                                                                                                                                                                                                                                        SHA1:21BD4868EFCB26854F2428F4AF4FA5DBE73B30C1
                                                                                                                                                                                                                                        SHA-256:CFC5DE4DC3BF37E12C43B727F19A4E83123BC1AA1CEFB9394C31B565C0094834
                                                                                                                                                                                                                                        SHA-512:5CE52CC31B417E49EB9B44DA6ED19FDE44092036F492441BB3449455389E7F8B3E5B426DC2F129C4E7CAFEE0ECED20EA718D479F17B283DA7A6CB8B29AF1F6B7
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................\............................................................... ......./.......=............................... .......&.......,.......3................................................Common.Download Later.Common.Download Now.MainMenu.CometID.MainMenu.File.MainMenu.Help.MainMenu.Tools.MainMenu.View.Project-Id-Version: BitCometGUI.Report-Msgid-Bugs-To: .PO-Revision-Date: 2024-01-16 23:54+0800.Last-Translator: wxhere <wxhere@hotmail.com>.Language-Team: .Language: en.MIME-Version: 1.0.Content-Type: text/plain; charset=UTF-8.Content-Transfer-Encoding: 8bit.X-Poedit-KeywordsList: _:1g.X-Poedit-Basepath: ../../...X-Poedit-SourceCharset: UTF-8.X-Generator: Poedit 3.4.2.X-Poedit-SearchPath-0: GUI_BitComet.X-Poedit-SearchPath-1: GUI_wxCommon..Download &Later.&Download Now.&CometID.&File.&Help.&Tools.&View.

                                                                                                                                                                                                                                        C:\Program Files\BitComet\lang\bitcomet-es.mo

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:GNU message catalog (little endian), revision 0.0, 2545 messages, Project-Id-Version: BitCometGUI 'Importaci\303\263n de torrents DHT'
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):254440
                                                                                                                                                                                                                                        Entropy (8bit):5.446112409563802
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:7bGCO2MnyjyAS+J/Y+NP4DqL+yXo7KBk7ZFtNnbrF1tTvDv+9aZ68Ore3w5Xi:7XO2e8yASU/YeANdDvoi
                                                                                                                                                                                                                                        MD5:97849AE8D7A2C6018C86E2DD9BB99EDA
                                                                                                                                                                                                                                        SHA1:864BAE6FE4D743DFCFE66DEADF08D5B2F9BE22A8
                                                                                                                                                                                                                                        SHA-256:7D15C7E8016026AEC227073BB447EDA944E5963FFF14EE97FB6822FB90FC0E3F
                                                                                                                                                                                                                                        SHA-512:7995B501BB835A4B8EE1E00ACE5A0BA2C19DAEAEAFC7120881B54AEDE378D91550D200D0CF8EA8F4BA308BD12ADB65126F5BB3B9212BC6BBD0EA82E2D1C9D485
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.................O..O...,.......h...%...i...%.......+.......(.......&.......)...1...#...[...#.......).......&.......$.......'...........A..."...p...;.......&...............$.......!...0...%...R..."...x..................."...............'.......>...6...I...u...".......&...............9...%...<..._...7...............%.......'.......6...=...P...t...S.......\.......@...v...:.......4.......8...'...>...`...<.......B.......$...........D.......`...........#.......................................!...=... ..._...!.......................!...............)...!.......K.......e.......y...........................#.......$......."...9.......\.......p...................".......J...........4.......P.......n.......................................................*.......F.......c...........................8...................+.......C.......`...O...}...............N.......n...=...................................#... ...C..."...d...........P.......E.......6...<.......s.......................................

                                                                                                                                                                                                                                        C:\Program Files\BitComet\lang\bitcomet-et.mo

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:GNU message catalog (little endian), revision 0.0, 1503 messages, Project-Id-Version: BitCometGUI 'Allalaetud fail puudub'
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):144199
                                                                                                                                                                                                                                        Entropy (8bit):5.466221999648207
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:K1++RyrV8WujaGZc4i3sGtDqLyXo7KBkJ7Z+MPfRrFswE41P9DoxH/6xY/:AcrjQZvi3sGWS41P9DoxH/F
                                                                                                                                                                                                                                        MD5:ABB1F7D28652A9B78CB1D5B93D12FA4A
                                                                                                                                                                                                                                        SHA1:BCBCC76418A75BCBFEFC8741BFEFDE8201E352CC
                                                                                                                                                                                                                                        SHA-256:F57F38B9FD1AE8CCF9ADACE896FAC953A8E7ECF034DADE32EF95A878F3BD2D11
                                                                                                                                                                                                                                        SHA-512:14B7A805A25E369535BEC0FB941E611FC87F605B7C7BCAF48E4E3730C0E120F11D98E3D8872BD9CF0FF943F1246EB55E67D3DD120379C35DC16E5E115A0C1F59
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................./.......^......x}..&...y}.......}..$....}..%....}.."....~......#~......C~..=...Z~.......~..'....~..>....~..I.......&...b...7...............%.......6.......P...9...S.......\......@...;...:...|...4.......8......>...%...<...d...B..............#...........(.......D.......c...!....... .......!.........................%.......D.......^.......{...$......."..................................0.......N.......g..................................................... .......=.......].......v.....................................................?.......Z.......z........... ......."......................7......2.......P.../...E.......6..................................(.......=.......H.......T.......b.......n.......|............................................................................3.......B.......].......l...6...z...............................................................'...9...&...a...#.......$.......7.............. ...!.......B...S...X...........e...

                                                                                                                                                                                                                                        C:\Program Files\BitComet\lang\bitcomet-eu.mo

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:GNU message catalog (little endian), revision 0.0, 1531 messages, Project-Id-Version: BitCometGUI 'Jeitsitako agiria galduta'
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):150126
                                                                                                                                                                                                                                        Entropy (8bit):5.417292852336041
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:Ci8oOQEy3SanDqLyXo7KBkJ7ZiPUfRrFsw44hReQ/wf1oBZNsWSKkUv/z:aoGy3SaSFh4Q/wf1oBZNsWSyvr
                                                                                                                                                                                                                                        MD5:2D2406AEC6027D8F8ACC794CA5826C69
                                                                                                                                                                                                                                        SHA1:6B96109BDB00C0C83240FBE0E4AD399E13115507
                                                                                                                                                                                                                                        SHA-256:4E3A2EDAEE9E3C51682B02154FD4D11CE8F34CF4A6AB7EF970749966415EA499
                                                                                                                                                                                                                                        SHA-512:CD2D255002D09677D3740331F4450E779CF025E02E113DB8CE273ACCF0A36768496C6C3A1F0D996996487060462F4C8DDB830E67D632589AAB369315A5408175
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................./......._..........&...............$.......%...B..."...h...................=..............'.......>...A...I.......&......7..........)...%...D...6...j...P.......S......\...F...@.......:......4.......8...T...>.......<......B.......$...L.......q...#..............................!....... ...1...!...R.......t............................................. ...$...9..."...^..................................................... .......:.......Q.......k....................................................../.......N.......l......................................................3.......R... ...r..."......................7...}...2.......P......E...9...6........................................................................&.......2.......@.......M.......\.......s.............................................................................+.......:...6...H.................................................................'.......&.../...#...V...$...z...7...........

                                                                                                                                                                                                                                        C:\Program Files\BitComet\lang\bitcomet-fa.mo

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:GNU message catalog (little endian), revision 0.0, 33 messages, Project-Id-Version: bitcomet '\330\247\330\252\330\265\330\247\331\204 \332\251\330\247\330\261\330\263\330\247\330\262'
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2784
                                                                                                                                                                                                                                        Entropy (8bit):5.647303891867452
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:fyIcQrtrkM2dKVdIpFBKO48ZjRjFIIej1Tmcempw5sZmDeuHaIOCQ4NZA64g:hcQ6MtVdfqOTmcDaSZmiugCQyf9
                                                                                                                                                                                                                                        MD5:B9B569AEC4DEA98925E8C51D3FF306A5
                                                                                                                                                                                                                                        SHA1:17F1EEA85A81E2B847E9C960CD9E54F80E063515
                                                                                                                                                                                                                                        SHA-256:24BF125098F9EFAE31E054ACD01B18933436A6A35F6EDBBCD30CD871C3955945
                                                                                                                                                                                                                                        SHA-512:909FD35AC1D1C87AE2CECCBAAC2F4791CD1839A845B29F8A2B79191CEBC516A440918C67BB1436F9FD53DE6A94E6ADCB4C26EADE04CAE182F37359DF3A2844CA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........!.......$.../...,...........&...........................,.......A.......L.......W.......c.......q.......~...................................................................'.......7...%.......].......x...I.......L.......-...........\.......m...........................................$...................5.......A...(...N.......w...........................................#...........................................................,.......3.......O.......e.......v...I.......`......./...>.......n.......{...............................................................................................................................!................................................................................................... ....CView_Passport.Connecting to Server....Common.&Apply.Common.&Close.Common.&Download Now.Common.&No.Common.&OK.Common.&Yes.Common.Cancel.Common.Close.Common.Disable.Common.Download &Later.Common.False.Common.OK.Common.Tip.Common.True.Common.Unknown.Common.

                                                                                                                                                                                                                                        C:\Program Files\BitComet\lang\bitcomet-fi.mo

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:GNU message catalog (little endian), revision 0.0, 1254 messages, Project-Id-Version: BitCometGUI 'Torrentin Avaaminen Ep\303\244onnistui'
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):115345
                                                                                                                                                                                                                                        Entropy (8bit):5.437925370762981
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:JWPGIdMhIzDDqyXo7KBkJ7Z3Wl5RrFsrhfCmodfJMrMjjBin:gPWqzVus8
                                                                                                                                                                                                                                        MD5:2CC0680872FB6188E3DE92E70D1D5FCF
                                                                                                                                                                                                                                        SHA1:986B050CD5648F369D5314522914F568E83DE9F1
                                                                                                                                                                                                                                        SHA-256:3D3FD27E6A6D9D0C2E0CCDA2C6EB61C0BF2441C4E8FFEA0ED5830FB7034D659C
                                                                                                                                                                                                                                        SHA-512:A5A9C559847D0EF3D05DBC4EF3BEE88483EC542D1D19EF4AC685E1C0E644CD8BD0CE4A267A0A48AA9E32C2A3D05FDD0495D632E08230CCFBE8F7824A4810849E
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................L'......|N.......h..$....h..%....i.."...<i......_i..=....i.......i..'....i..>....i..I...=j..&....j..7....j.......j..%....k..6...'k..P...^k..S....k..\....l..@...`l..:....l..4....l..8....m..>...Jm..<....m..B....m..$....n.......n..#...Nn......rn.......n.......n..!....n.. ....n..!....o......1o......Oo......oo.......o.......o.......o.......o.......o.......p.......p......Jp......hp.......p.......p.......p.......p.......p.......q.......q......:q......Wq......wq.......q.......q.......q.......q.......q.......r......9r......Yr......tr.......r.......r.. ....r.."....r.......s......5s..7....t..2....u..P...Iu..E....u..6....u.......v......%v......4v......Bv......Wv......bv......nv......|v.......v.......v.......v.......v.......v.......v.......v.......v.......w......*w......8w......Sw......bw..6...pw.......w.......w.......w.......w.......w.......w..'....x..&...@x..#...gx..$....x..7....x.......x.. ....y......!y..S...7y.......y..e....y..&....z......8z......Wz......rz..,....z..!....z..2...

                                                                                                                                                                                                                                        C:\Program Files\BitComet\lang\bitcomet-fr.mo

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:GNU message catalog (little endian), revision 0.0, 2545 messages, Project-Id-Version: BitCometGUI 'Importation de torrents DHT'
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):260421
                                                                                                                                                                                                                                        Entropy (8bit):5.50139533739732
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:7bGCORQ7okHeVaLn5J/Y+NP4DqL+yXo7KBk7ZFtNnbrF1tTvDvYNul6F/5gX4n1S:7XO0+env/YeANdDvY8uSGs2U93CS1
                                                                                                                                                                                                                                        MD5:727DC69238CCB24CC10EEC22A7385BF0
                                                                                                                                                                                                                                        SHA1:696887F058FF14416AC04D365341B5782491A474
                                                                                                                                                                                                                                        SHA-256:1F4B955C03BC97527D4FB15BC3683DB5C305B407A4FC72C12D76D3910917CB23
                                                                                                                                                                                                                                        SHA-512:D3C862F99D20F3C190D05877691AFC40ED80EC4A94D9DA5D711BD19674FD28F0FA4CD00B713C3DED5E77C29FB92B7590C741839B4A699B7E31F0A860C23CC966
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.................O..O...,.......h...%...i...%.......+.......(.......&.......)...1...#...[...#.......).......&.......$.......'...........A..."...p...;.......&...............$.......!...0...%...R..."...x..................."...............'.......>...6...I...u...".......&...............9...%...<..._...7...............%.......'.......6...=...P...t...S.......\.......@...v...:.......4.......8...'...>...`...<.......B.......$...........D.......`...........#.......................................!...=... ..._...!.......................!...............)...!.......K.......e.......y...........................#.......$......."...9.......\.......p...................".......J...........4.......P.......n.......................................................*.......F.......c...........................8...................+.......C.......`...O...}...............N.......n...=...................................#... ...C..."...d...........P.......E.......6...<.......s.......................................

                                                                                                                                                                                                                                        C:\Program Files\BitComet\lang\bitcomet-gl.mo

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:GNU message catalog (little endian), revision 0.0, 715 messages, Project-Id-Version: BitCometGUI 'Erro ao abrir un arquivo torrent'
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):67341
                                                                                                                                                                                                                                        Entropy (8bit):5.3222621889384225
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:8/z/F+Nby2pMullXrnpS3WO00DqLyXo7BkJ7Z8TXk8io58eRrFM9WyPKPZSZiPmL:M/FHBup0DqLyXo7BkJ7Z8TnRrFMkCKkf
                                                                                                                                                                                                                                        MD5:5FFA81C4B392BCDB886BF6D8775F4C6F
                                                                                                                                                                                                                                        SHA1:B291757D227834523FDC437007B854E7FC1538C6
                                                                                                                                                                                                                                        SHA-256:AA35DD868BDA15F75A6E86E98F3DDEADDD8E1DB7870AADE6E6FEC77EA9B75358
                                                                                                                                                                                                                                        SHA-512:F5CA2DB220E82844246B846A1940C5938AA16A29538E438DC8E1225A5236C72A3FC17E0FEB86354C1A51DAA87466309A1CD17A355114C7AA366C3E16FE43DDC7
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................t........,.......;..$....;..%....;.."....;.......<..=...?<..I...}<..&....<.......<..%....=..\.../=..@....=..:....=..4....>......=>......]>......y>.......>..!....>.. ....>..!....>.......?......:?......Y?......s?.......?.......?.......?.......?.......?.......@......2@......L@......g@.......@.......@.......@.......@.......@.......A....../A......MA......gA.......A.......A.......A.......A.......A.......B......3B......SB......qB.......B.......B.......B.......B.......B.......B.......B.......B.......B.......B.......C...... C......-C......7C......FC......TC......_C......kC......zC.......C..'....C..&....C..#....C..$....D..7....D......fD.. ...~D.......D..S....D.......E..e...)E..&....E.......E.......E.......E..I....F..L...YF..-....F.......F.......F.......F.......G.......G......7G......RG......pG.......G..4....G.......G..#....G..6....H..&...UH......|H.......H.......H.......H.......H.......I......'I......EI.."...dI.......I..*....I..&....I..8....I..*...1J..%...\J..!....J..&....J.."...

                                                                                                                                                                                                                                        C:\Program Files\BitComet\lang\bitcomet-he.mo

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:GNU message catalog (little endian), revision 0.0, 894 messages, Project-Id-Version: BitCometGUI '\327\244\327\252\327\231\327\227\327\252 \327\224\327\230\327\225\327\250\327\240\327\230 \327\240\327\233\327\251\327\234\327\224'
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):89370
                                                                                                                                                                                                                                        Entropy (8bit):5.54925735006217
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:K7qhrxUodO1qN/pJ8/CF55HOulmXrn0S32O6wDqLyXo7KBkJ7ZOJXk8io58eRrFT:K7qTdO76LuuLwDqLyXo7KBkJ7ZOJnRr1
                                                                                                                                                                                                                                        MD5:E6B2FA95D3E0E62A617128F37B314688
                                                                                                                                                                                                                                        SHA1:D864D3B9199C348F96CE8237DBA25215B037D972
                                                                                                                                                                                                                                        SHA-256:2B21646FDA5076251071F03F5E1ADA3CC80175885694BB18106DA6264831B889
                                                                                                                                                                                                                                        SHA-512:2E6D084A2D1A34A6E87BD52673A85196E99965F99CBE152B5E84C60167A2AFCD4BC38C6426412D8F4AD0AA6EBBBC7294EAE82FB85FE8A12942D2DEC533F6A9ED
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........~................7.......J..$....J..%....J.."....J.......K..=.../K..I...mK..&....K.......K..%....K..\....L..@...|L..:....L.......L.......M......4M......SM..!...rM.. ....M..!....M.......M.......M.......N.......N......FN......cN......|N.......N.......N.......N.......N.......O.......O......7O......TO......mO.......O.......O.......O.......O.......O.......P......3P......PP......pP.......P.......P.......P.......P.......P.......Q.......Q......*Q......5Q......@Q......LQ......XQ......fQ......sQ.......Q.......Q.......Q.......Q.......Q.......Q.......Q.......Q.......Q.......R..'....R..7...7R......oR.......R..I....R..L....R..-...@S......nS.......S.......S.......S.......S.......S.......S.......T..4...(T......]T..#...vT..6....T..&....T.......T.......U......4U......OU......lU.......U.......U.......U.."....U.......V.. ...!V..*...BV..&...mV..8....V..*....V..%....V..!....W..&...@W.."...gW..+....W.......W..!....W..%....W..'....X.. ...FX..#...gX.......X.......X.......X.......X.......X.......Y......

                                                                                                                                                                                                                                        C:\Program Files\BitComet\lang\bitcomet-hr.mo

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:GNU message catalog (little endian), revision 0.0, 170 messages, Project-Id-Version: BitCometGUI 'Priklju\304\215ivanje u tijeku...'
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):13451
                                                                                                                                                                                                                                        Entropy (8bit):5.286014272768912
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:EnONpYsnZFVYDyXo7KkJL2TquimzD9ActTS:EnOnn6DyXo7KkJiTqQ6cte
                                                                                                                                                                                                                                        MD5:042A8E17E22BE5D96A12DE425ADFD469
                                                                                                                                                                                                                                        SHA1:E8595B70551BE528E4E3C9B5CD16BA0BF33267FB
                                                                                                                                                                                                                                        SHA-256:F6B97EBE708E43B7886F400F197C8B8E5AA8A0747DC338729B31347588DBE6F6
                                                                                                                                                                                                                                        SHA-512:D314F3D5206F8E95A212A53FB0CD2C16259BED586EB6766C0F7A7790C3B21ED4178B2DD460DBD233C28B4412D9468D8A0FB3615F06017C474F75ED964545FBF1
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................l...............H...&...I.......p...................!...........................$.......2.......A.......\...-...|...O...........................3...!...Q.......s...%.......%.......$.......6.......!...;..."...]...#.......A...................................5.......K.......a.......y...........#.......................'...........:...*...i...;.......;.......@.......!...M...!...o...+...............*.......(.......(...@...+...i...&.......+.......).......(.......&...;...,...b...+......."......."...............#... ...&...D...)...k...'.......-.......-.......,.......#...F...$...j...).......".......*.......2.......)...:.......d...........................%...........................).......8.......K.......Z.......o....................................................................... .......7.......H.......a..."...r...M...............+...i...R.......F.......!.../.......Q.......g.......~...".......).......*.......'.......%...6...#...\...,.......*.......................W...........

                                                                                                                                                                                                                                        C:\Program Files\BitComet\lang\bitcomet-hu.mo

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:GNU message catalog (little endian), revision 0.0, 1307 messages, Project-Id-Version: BitCometGUI 'Torrent Megnyit\303\241sa Sikertelen'
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):131351
                                                                                                                                                                                                                                        Entropy (8bit):5.551408926943811
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:nHwV6Myo930437oDqLyXo7KBkJ7Z0PGfRrFsrhUGN4Vr6ogsxb:nHDMjB375yUX1
                                                                                                                                                                                                                                        MD5:BF58953E42BB5B746177C67BE666F599
                                                                                                                                                                                                                                        SHA1:329B909A8C23F38ABBB8E9D45EFE092A0B301B91
                                                                                                                                                                                                                                        SHA-256:3950DA5A3CF5A72FB22ECBAB045C4A23910E02BDA4C1E1ED34EE63D24A4856DF
                                                                                                                                                                                                                                        SHA-512:50A8114217757181A928779F41B8B71714FE3F3019961A3299FDCD969F44C1E27DC83A1AB687FE21BC894298F22F9968D49204CC192A1CC35457749B8F56A910
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.................(.......Q.......m..$....m..%...>m.."...dm.......m..=....m..>....m..I...$n..&...nn.......n..%....n..\....n..@...3o..:...to..4....o..$....o.......p......)p......Ep......dp..!....p.. ....p..!....p.......p.......q......%q......?q......\q......uq.......q.......q.......q.......q.......r.......r......1r......Kr......fr.......r.......r.......r.......r.......r.......s.......s......Ls......fs......~s.......s.......s.......s.......s.......t......2t......Rt......pt..7....v..2...Qv..P....v..E....v..6....w......Rw......`w......ow......}w.......w.......w.......w.......w.......w.......w.......w.......w.......w.......x.......x......8x......Fx......dx......rx......|x.......x..6....x.......x.......x.......x.......x.......y..'....y..&...:y..#...ay..$....y..7....y.......y.. ....y.......z..S...1z.......z..e....z..&....{......2{......Q{......l{..,....{..!....{..2....{.......|../...<|..#...l|..I....|..L....|..-...'}......U}......f}......y}.......}.......}.......}.......}.......}.......~..4...

                                                                                                                                                                                                                                        C:\Program Files\BitComet\lang\bitcomet-hy.mo

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:GNU message catalog (little endian), revision 0.0, 144 messages, Project-Id-Version: bitcomet '\325\200\325\241\325\275\325\241\325\266\325\245\325\254\325\253 \325\247 \325\266\325\270\326\200\325\235 ${VERSION_TEXT} \325\277\325\241\326\200\325\242\325\245\326\200\325\241\325\257\325\250'
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):9747
                                                                                                                                                                                                                                        Entropy (8bit):5.472037277067749
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:o1e/dpd1j18Twe32Ta2M6JK8jZTv9Kz9zG7CiYKBxoBra2YE9NObvGnDPyztd2Cj:o1+dprjWTwc2uGtT/YKBAYEhKZTm8f
                                                                                                                                                                                                                                        MD5:E8AB5F1BAB1E56F0D4C195DF6E7BC431
                                                                                                                                                                                                                                        SHA1:6B455732671FFC2CEAF70A839025FC1E8F600DBA
                                                                                                                                                                                                                                        SHA-256:1DD5CE59C2CE9ACBF6DB9B798303EFA279A058B63DAD0B882CDEA02176150E53
                                                                                                                                                                                                                                        SHA-512:38955AE60740B544D01E672B465508D6A9D9D20590CE6C41255F1C55BACB5655B6B50B723826762454096F3AA9CCBC3CBD66B64581AA52B415CCB29A194E17E8
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................ ...=...!......._.......m.......................................................................................................(...'...3...7...[...............................................................0.......N.......l........................... .......#...........".......;.......Q.......n...........................................#...........;.......T.......m.......................................................$.......:.......R.......o...................................(.......'.......&...F..."...m...........#...............................).../...)...Y.......................................................................%.......8.......I......._.......q.......................................................................#.......9.......P...#...g...............................................................:.......S.......n.......................................................).......A.......X.......q.......................................

                                                                                                                                                                                                                                        C:\Program Files\BitComet\lang\bitcomet-id.mo

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:GNU message catalog (little endian), revision 0.0, 442 messages, Project-Id-Version: bitcomet 'Gagal membuka Torrent'
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):30816
                                                                                                                                                                                                                                        Entropy (8bit):5.1741497290231315
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:i+BZjIFrQ7cyr0O6XrnBS3x8DyXo7BkZ7UMMxKEGEAn/E9EcxM:LjISQO16XrnBS3ODyXo7BkZILRTA/jcS
                                                                                                                                                                                                                                        MD5:BF59C6DDC06AABA5CF9B389AE2E4EC03
                                                                                                                                                                                                                                        SHA1:FC313F377FC1C27DE18AD142351E9389A7003B15
                                                                                                                                                                                                                                        SHA-256:34907CF45B50A364F079418A36AE0D630BB3CBC027EC3FCB6A831224B539BFF0
                                                                                                                                                                                                                                        SHA-512:4DED403169E168DEBA1A40B21F8477E2BE024304825953E038755E41E918D5EBBCDE4267CB78EC03ABE0D2501C1007B6752FD8458B1CAC85E127171609CA030B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:....................Q............%..$....%..%...&%.."...L%......o%..=....%..&....%.......%.......&....../&..!...N&.. ...p&..!....&.......&.......&.......&.......'......#'......?'......]'......w'.......'.......'.......'.......'.......'.......(......=(..7...](.......(.......(.......(.......(.......(.......(.......(.......(.......).......).......)......,)......C)......P)......l)......z).......).......).......).......).......).......).......)..'....)..7....*.. ...F*......g*......}*.......*..I....*..L....+..-...N+......|+.......+.......+.......+.......+.......+.......,..4...%,......Z,..#...s,..6....,..&....,.......,.......-......1-......J-......h-.."....-.......-..&....-..8....-..*...)...%...T...!...z...&.......".......+............/..%...2/..'...X/.. ..../..#..../......./......./......./.......0......%0......;0......V0......n0.......0..!....0..!....0.......0.."....1..?...-1..3...m1..N....1..J....1..!...;2..6...]2..@....2..e....2......;3......U3......p3.......3.......3.. ....3..9....3..%...

                                                                                                                                                                                                                                        C:\Program Files\BitComet\lang\bitcomet-it.mo

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:GNU message catalog (little endian), revision 0.0, 2545 messages, Project-Id-Version: BitCometGUI 'Importazione di torrent DHT'
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):251768
                                                                                                                                                                                                                                        Entropy (8bit):5.428018374206947
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:7XO8Fq3/YeANdDvczBPLo7gUaQ2gYWVWxKLughqUcf8SVokmh5frgm+9:7Xflnrab
                                                                                                                                                                                                                                        MD5:107466707734E7D27383582E5330A85E
                                                                                                                                                                                                                                        SHA1:D84964668EE5A7259C6F589841748D020190F425
                                                                                                                                                                                                                                        SHA-256:BF04C238F901BC4948EAF1CB5139FCB0ADAC96449063168E381A038C6EE3E93B
                                                                                                                                                                                                                                        SHA-512:C6CC06D6454CF3C81C654F051699A0DC2E9A091BB28F8F76D02B2E084D3ADB4AE738859A21E41ADC02D5CCD4B33E46808BB061D72ECC94CF209E56E70363F33A
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.................O..O...,.......h...%...i...%.......+.......(.......&.......)...1...#...[...#.......).......&.......$.......'...........A..."...p...;.......&...............$.......!...0...%...R..."...x..................."...............'.......>...6...I...u...".......&...............9...%...<..._...7...............%.......'.......6...=...P...t...S.......\.......@...v...:.......4.......8...'...>...`...<.......B.......$...........D.......`...........#.......................................!...=... ..._...!.......................!...............)...!.......K.......e.......y...........................#.......$......."...9.......\.......p...................".......J...........4.......P.......n.......................................................*.......F.......c...........................8...................+.......C.......`...O...}...............N.......n...=...................................#... ...C..."...d...........P.......E.......6...<.......s.......................................

                                                                                                                                                                                                                                        C:\Program Files\BitComet\lang\bitcomet-ja.mo

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:GNU message catalog (little endian), revision 0.0, 2545 messages, Project-Id-Version: BitCometGUI 'DHT\343\203\210\343\203\254\343\203\263\343\203\210\343\201\256\343\202\244\343\203\263\343\203\235\343\203\274\343\203\210'
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):274720
                                                                                                                                                                                                                                        Entropy (8bit):6.109496798622325
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:7bGCO4K8TGJ/Y+NP4DqL+yXo7KBk7ZFtNnbrF1tTvDvwb/+aHLHrqg3zTfufbxt:7XO4K9/YeANdDvraHLHrjzTWt
                                                                                                                                                                                                                                        MD5:EB7E2BBC2A8D9CB24FF4C3BA65E5A3E1
                                                                                                                                                                                                                                        SHA1:AEA18C0E0BD9054C52A432704BB3E36E52B462EE
                                                                                                                                                                                                                                        SHA-256:0464CC2CDE5FE227898C9AE4ECE05F8E61AA48C8ADCE953B5ED416BA236B599E
                                                                                                                                                                                                                                        SHA-512:2211B7F64F493458F06CF77489E773B970B8FA93D95A1DFBDCF70E8623EDCA9FB8E796D924CC9B0F0D67FDCC1C3575709184E52C31CAB4EB8D63F5DFE41EB2F4
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.................O..O...,.......h...%...i...%.......+.......(.......&.......)...1...#...[...#.......).......&.......$.......'...........A..."...p...;.......&...............$.......!...0...%...R..."...x..................."...............'.......>...6...I...u...".......&...............9...%...<..._...7...............%.......'.......6...=...P...t...S.......\.......@...v...:.......4.......8...'...>...`...<.......B.......$...........D.......`...........#.......................................!...=... ..._...!.......................!...............)...!.......K.......e.......y...........................#.......$......."...9.......\.......p...................".......J...........4.......P.......n.......................................................*.......F.......c...........................8...................+.......C.......`...O...}...............N.......n...=...................................#... ...C..."...d...........P.......E.......6...<.......s.......................................

                                                                                                                                                                                                                                        C:\Program Files\BitComet\lang\bitcomet-kk.mo

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:GNU message catalog (little endian), revision 0.0, 1008 messages, Project-Id-Version: bitcomet '\320\242\320\276\321\200\321\200\320\265\320\275\321\202 \320\260\321\210\321\203\321\213 \321\201\323\231\321\202\321\201\321\226\320\267'
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):108050
                                                                                                                                                                                                                                        Entropy (8bit):5.787902717821965
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:p8JJ6qnpm5wufDqLyXo7KBkJ7ZH7NtrFpNT0XB9RSz6EyGh:KJFqwuWVT0X/RSz6EyGh
                                                                                                                                                                                                                                        MD5:BBF673D10A2A56BA6A2528A902A9FB71
                                                                                                                                                                                                                                        SHA1:4B1124C2DA49646A68D9D97DDBB16D8BDC935C6A
                                                                                                                                                                                                                                        SHA-256:99036119A6ED32D4BF4F470D1CA7EEDF36C4D92F20972E8E4C0278BB69CDB8EA
                                                                                                                                                                                                                                        SHA-512:228F2771F65FF57021EE95EA78243642D58C9A0B77B573CC9E2D38466D2A4684AF6F84E8463E89D66CAEF519A97D48E5C9CD91346F00D9F5C3DF1FE344493D8D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:....................Q....?......`T..$...aT..%....T.."....T.......T..=....T..I...-U..&...wU.......U..%....U..\....U..@...<V..:...}V..4....V.......V.......W......)W......HW..!...gW.. ....W..!....W.......W.......W.......X......#X......7X......OX......lX.......X.......X.......X.......X.......X.......Y......$Y......>Y......UY......oY.......Y.......Y.......Y.......Y.......Y.......Z......5Z......SZ......mZ.......Z.......Z.......Z.......Z.......Z.......[......9[......Y[......w[.......[.......[.......[.......[.......[.......[.......[.......[.......[.......\.......\......$\.......\......=\......K\......V\......b\......q\.......\..'....\..&....\..#....\..$....]..7...%]......]].. ...u].......]..S....].......^..e... ^..&....^.......^.......^.......^..I...._..L...P_..-...._......._......._......._.......`.......`.......`......I`......g`.......`..4....`.......`..#....`..6....a..&...La......sa.......a.......a.......a.......a.......b.......b......;b.."...Zb......}b.. ....b..*....b..&....b..8....c..*...

                                                                                                                                                                                                                                        C:\Program Files\BitComet\lang\bitcomet-kn.mo

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:GNU message catalog (little endian), revision 0.0, 48 messages, Project-Id-Version: bitcomet '\340\262\237\340\263\202\340\262\260\340\263\206\340\262\202\340\262\237 \340\262\244\340\262\260\340\263\206\340\262\257\340\262\262\340\263\201 \340\262\206\340\262\227\340\263\201\340\262\244\340\262\277\340\262\262'
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):4344
                                                                                                                                                                                                                                        Entropy (8bit):5.432069751364534
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:TOCDz5VhfKLMIxNfzJwTmOgKmqMG8yYZrDcIZmRPiyR5ifdaN15xQcgKjj:TOCDzpfKLMIxVCTuHZcqmxi4gdI15x3B
                                                                                                                                                                                                                                        MD5:FEA30E3D435220F6585BCC6B36800E23
                                                                                                                                                                                                                                        SHA1:D69D882DD03A8A9E0641F9F84176F10AD9E3178E
                                                                                                                                                                                                                                        SHA-256:0B532AE300D321E1C736BEE0C73A0D501C16AF176C9E32EFD58A73E934FD0A3D
                                                                                                                                                                                                                                        SHA-512:48F7754CBED9B01061EEADA2580F71D2082087CD65B7EA5E16D9FD4B3387B1718AA426D70D56F4108A9DAABA8A2D05A860F1484078F336C76686C43D8490219E
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........0...........C...........(...$...)...%...N..."...t...........=...............'.......>...6.......u...............................................................................................&.......9.......M.......^.......x.......................................................8.......T.......j.......................................................).......B.......\...#...y...................................8.......W...M...8.......,.......h.......(...t...'.......R...................5.......L.......].......z...-...........................................................&.......6.......O.......b...'...y....................................................... .......<.......O.......h...........-.......C...........................;.......T.......g.......z......................................./...................$...#...................(... ...........................0.......)...........'...............+...-...%......."...............................................!...............

                                                                                                                                                                                                                                        C:\Program Files\BitComet\lang\bitcomet-ko.mo

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:GNU message catalog (little endian), revision 0.0, 2545 messages, Project-Id-Version: BitCometGUI 'DHT \355\206\240\353\240\214\355\212\270 \352\260\200\354\240\270\354\230\244\352\270\260'
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):254630
                                                                                                                                                                                                                                        Entropy (8bit):6.171940294405938
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:7XON5qV/YeANdDvbj6+McgkNymVX3iG/wfcvWNL:7XwznrjjGcg053NveL
                                                                                                                                                                                                                                        MD5:836A89E8A81F33FB921C067FE7F5DF53
                                                                                                                                                                                                                                        SHA1:E8D0D9AB86753161BF93FEB67ACD3C3E95563DF2
                                                                                                                                                                                                                                        SHA-256:03B74683739510FDA7671964E88D2CC13676CCA6D9AA01FEDCB09479B4A072FC
                                                                                                                                                                                                                                        SHA-512:1FE4B09B6A26E495369FA5EF82612E02C4A02EE5ABB2F9B52A31F2851500E2646183E452E7A9B28FC98C84B4DEF119301220429951B03380CFC5E69A87622333
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.................O..O...,.......h...%...i...%.......+.......(.......&.......)...1...#...[...#.......).......&.......$.......'...........A..."...p...;.......&...............$.......!...0...%...R..."...x..................."...............'.......>...6...I...u...".......&...............9...%...<..._...7...............%.......'.......6...=...P...t...S.......\.......@...v...:.......4.......8...'...>...`...<.......B.......$...........D.......`...........#.......................................!...=... ..._...!.......................!...............)...!.......K.......e.......y...........................#.......$......."...9.......\.......p...................".......J...........4.......P.......n.......................................................*.......F.......c...........................8...................+.......C.......`...O...}...............N.......n...=...................................#... ...C..."...d...........P.......E.......6...<.......s.......................................

                                                                                                                                                                                                                                        C:\Program Files\BitComet\lang\bitcomet-ku.mo

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:GNU message catalog (little endian), revision 0.0, 1002 messages, Project-Id-Version: BitComet 1.36 '\331\201\330\247\333\214\331\204\333\214 \330\257\330\247\332\257\333\214\330\261\330\247\331\210 \331\206\330\247\330\257\330\261\331\210\330\263\330\252\333\225.'
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):88100
                                                                                                                                                                                                                                        Entropy (8bit):5.719674972761057
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:yqAJU6xoJhgu7loLG3KoXrnyLS3FO84ByXo7KBkJZ+S0OEcxjEEYrLZ4a:bA0JOuqLG3w7yXo7KBkJZ+S0O2hLZB
                                                                                                                                                                                                                                        MD5:F28DFE3A18903EAF3B33349E5E72146A
                                                                                                                                                                                                                                        SHA1:AB62345234C97939A03527B8C98BE0579E504EB1
                                                                                                                                                                                                                                        SHA-256:6087DFBA2A97F1C8B6F1D4C31E9CC2B9B06EF7542F7BC5CF5E1D2EE88622CD1E
                                                                                                                                                                                                                                        SHA-512:E2F33AE9A302D8FCEB853DFA7B2B305E0DC180841906F0DF21F2799800C2057E4D8D4DE236FE28420D620F2789D5352338DFA164529730BA74702636884124EF
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................l...Q....>.......T..&....T......(T..$...=T..%...bT.."....T.......T.......T..=....T...... U..'...9U..>...aU..I....U..&....U..7....V......IV..%...dV..6....V..S....V..8....W..B...NW.......W.......W..#....W.......W.......X....../X..!...NX.. ...pX..!....X.......X.......X.......X.......Y......*Y......>Y......VY......sY.......Y.......Y.......Y.......Y.......Y.......Z......)Z......CZ......^Z......{Z.......Z.......Z.......Z.......Z.......[......$[......A[......^[......~[.......[.......[.......[.. ....[.."....\......<\..7...Z\..2....\..P....\.......]......$]......3]......A]......V]......a]......l]......x].......].......].......].......].......].......].......].......].......^.......^......4^......B^......W^......a^......p^.......^.......^.......^.......^.......^.......^.......^.......^.......^..'...._..#...)_..$...M_..7...r_......._.. ...._......._......._..&....`......@`......_`......z`..,....`..!....`..2....`..!....a..%...=a.. ...ca..#....a..L....a..-....a......#b......4b......

                                                                                                                                                                                                                                        C:\Program Files\BitComet\lang\bitcomet-lt.mo

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:GNU message catalog (little endian), revision 0.0, 494 messages, Project-Id-Version: BitCometGUI 'Parsi\305\253stas failas nerastas.'
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):40650
                                                                                                                                                                                                                                        Entropy (8bit):5.4004763704881995
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:39AK0nvOU3lkXrnZ6AS3jyOD0s/DyXo7KkJ4Tpeknyj5sKjtdP/:tAK0nvOU3lkXrngAS3WODd/DyXo7KkJr
                                                                                                                                                                                                                                        MD5:8F522C8CE3A317132E47FA8100D2FD80
                                                                                                                                                                                                                                        SHA1:8259A43DF9185075D56A261287CDB820CEECDCED
                                                                                                                                                                                                                                        SHA-256:B083B9A9034F2780C67E87FB68B2D4CEF213D5E7629FBE738CB31571A2BF7FC0
                                                                                                                                                                                                                                        SHA-512:8267D4276DE9170267A799A5DD44AD7B8BBBA5562C59972CB97F83174A411A8032CA5BF32477A26BE16A8D3F86800252F6B706D263E28066BDFBBE48966E3BF1
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................H)..&...I)......p)..$....)..%....).."....).......).......*..=...**......h*..'....*..>....*..I....*..&...2+......Y+..%...t+..6....+..P....+..S...",..\...v,..@....,..:....-..4...O-..8....-..>....-..<....-..B...9...$...|...........#..................../...... /..!...?/.. ...a/..!..../......./......./......./.......0.......0......80..$...Q0.."...v0.......0.......0.......0.......0.......1......$1......>1......U1......o1.......1.......1.......1.......1.......1.......2......32......R2......p2.......2.......2.......2.......2.......2.......3......73......V3.. ...v3.."....3.......3.......3..7....5..2....5..P....5..E...=6..6....6.......6.......6.......6.......6.......6.......7.......7.......7......*7......67......D7......Q7......`7......w7.......7.......7.......7.......7.......7.......7.......7.......8.......8....../8......>8..6...L8.......8.......8.......8.......8.......8.......8.......8.......8..'....9..&...39..#...Z9..$...~9..7....9.......9.. ....9.......:..S...

                                                                                                                                                                                                                                        C:\Program Files\BitComet\lang\bitcomet-lv.mo

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:GNU message catalog (little endian), revision 0.0, 234 messages, Project-Id-Version: BitCometGUI 'Atv\304\223rt torrent failu neizdev\304\201s'
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):18893
                                                                                                                                                                                                                                        Entropy (8bit):5.432514511334486
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:J/FlqhPMc7k9Ch1KkXrnUfDyXo7KkLgnjlHCms97DCIOVAbI2OBBA:JSRMc7ka1KkXrnsDyXo7KksnjlCoIOVa
                                                                                                                                                                                                                                        MD5:158F9240165BFB25865077CE639E8AAE
                                                                                                                                                                                                                                        SHA1:83A2D91C8676690694048D662720F406DE0A314E
                                                                                                                                                                                                                                        SHA-256:A5AD1C609D269BBA4B8325B26B78EC05191445EA083622DA87AD9194FD56A644
                                                                                                                                                                                                                                        SHA-512:5F2BD3F51B9CDB43ACF838F36112743961E5E50D814216FE8C672663683CB78063B752C02DAA2349893C4CBDA299F0BF4102E96D1A8B573BF90CFED6649F61CB
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................l...9...............$.......%...............=...........J...'...c...>.......I.......&.......7...;.......s...%.......6.......P.......S...<...\.......@.......:.......4...i...8.......>.......<.......B...S...$...............#...........................:...!...Y... ...{...!...........................................5.......M.......j.......................................................(.......?.......Y.......v...............................................!.......?.......Y.......q...............................................%... ...E..."...f...........7.......2.......P.......E...c...6........................................... .......+.......6.......B.......P.......\.......j.......w...........................................-.......O.... ......l ....... ..!.... ....... ..%.... ..%....!..$...6!..6...[!..!....!.."....!..#....!.......!......."....../"......J"......`"......x"......."..#...."......."......."..'....#..*...9#..;...d#..;....#..!....#..!....#..+... $......L$..*...

                                                                                                                                                                                                                                        C:\Program Files\BitComet\lang\bitcomet-mk.mo

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:GNU message catalog (little endian), revision 0.0, 731 messages, Project-Id-Version: bitcomet '\320\236\321\202\320\262\320\260\321\200\320\260\321\232\320\265\321\202\320\276 \320\275\320\260 \321\202\320\276\321\200\320\265\320\275\321\202\320\276\321\202 \320\265 \320\275\320\265\321\203\321\201\320\277\320\265\321\210\320\275\320\276'
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):71602
                                                                                                                                                                                                                                        Entropy (8bit):5.591626256005003
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:X5aYw9Q3zKMXrncS32OjK97DyXo7KBkJZSpyRC91o7emFoNuoK/llusHFA:oYw9yz07DyXo7KBkJZSJIpOAz/lluuA
                                                                                                                                                                                                                                        MD5:C57AD970AF8DB18A97079B8E8B4E4A7C
                                                                                                                                                                                                                                        SHA1:844ACA8B587B31F3EFCB4EC2FE64731285E8675F
                                                                                                                                                                                                                                        SHA-256:A0AB991E42F968666E8FF523D495EA93FE50E06C6DDC391E6D49FD6A6944C6E7
                                                                                                                                                                                                                                        SHA-512:466E070F1A8AACDAD5D4313C5424CDDC38A6DCEB39406076258FF1CA08A27E8B503FAC39AD1DD4E0977D5DB8C43D935F3BEC4A2528A2E9AE5C4003E2279E02E6
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.........................-.......=..$....=..%...6=.."...\=.......=..=....=.......=..'....=..>....>..I...]>..&....>..7....>.......?..%...!?..6...G?..P...~?..S....?..\...#@..@....@..:....@..8....@..>...5A..<...tA..B....A.......A..#....B......8B......TB......sB..!....B.. ....B..!....B.......B.......C......5C......TC......nC.......C.......C.......C.......C.......C.......D......%D......>D......XD......oD.......D.......D.......D.......D.......D.......E......3E......QE......kE.......E.......E.......E.......E.......E.......F......7F.. ...WF.."...xF.......F.......F..7...bH..2....H..P....H..E....I..6...dI.......I.......I.......I.......I.......I.......I.......I.......I.......J.......J......%J......2J......AJ......XJ......dJ......qJ.......J.......J.......J.......J.......J.......J.......J..6....K......@K......KK......WK......fK......wK.......K..'....K..&....K..#....L..$...$L..7...IL.......L.. ....L.......L..S....L......$M..e...DM..&....M.......M.......M.......N..,...*N..!...WN..2...yN.......N../...

                                                                                                                                                                                                                                        C:\Program Files\BitComet\lang\bitcomet-ms.mo

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:GNU message catalog (little endian), revision 0.0, 255 messages, Project-Id-Version: bitcomet 'Fail yang telah dimuatturun hilang'
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):19402
                                                                                                                                                                                                                                        Entropy (8bit):5.257817451926557
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:rUg4opisGdZxq8f3KDXrnIS3IyO7YzcmkuFE1qWlYUzj:ggpGZxd3KDXrnIS3IyO7YCIWlYUzj
                                                                                                                                                                                                                                        MD5:1AB217436EF4E60F08761115AD9A4940
                                                                                                                                                                                                                                        SHA1:3F65029AF73AC05116B7A879A7B48E5450F377E4
                                                                                                                                                                                                                                        SHA-256:A9FB1BC53C286B85458AF91F3C5396A2F6F627D22947A4EDDA642341A19D3EC1
                                                                                                                                                                                                                                        SHA-512:48C5AB9E0856CBAC08704344995A4952546D3594FCB5E9EC8C3CD77CD0FDFE88406E7EF94D89D113841D1742C503BCB684D740EE56E8AC57164A6753F7B1CA5D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:....................[...........x...&...y...........$.......%......."...........#.......C...=...Z...........'.......>.......I.......&...b...7...............%.......6.......P...9...S.......\.......@...;...:...|...4.......$...................1.......M.......l...!....... .......!...........................-.......G.......d.......}...............................................".......9.......S.......n.......................................................3.......P.......p........................... ......."...............7...L...2.......P...........................%.......3.......H.......S......._.......k.......y................................................................ ....... ......% ......@ ..6...O ....... ....... ....... ....... ....... ..'.... ..7.... .. ...(!......I!......_!......~!.......!..!....!..!....!.. ....!..#...."..I...A"..L...."..-....".......#.......#......*#......>#......X#......s#.......#..4....#.......#..#....#..6...!$..&...X$.......$.......$.......$.......$......

                                                                                                                                                                                                                                        C:\Program Files\BitComet\lang\bitcomet-nb.mo

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:GNU message catalog (little endian), revision 0.0, 1209 messages, Project-Id-Version: BitCometGUI 'Feil:'
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):114109
                                                                                                                                                                                                                                        Entropy (8bit):5.405577031957202
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:ZMxZf6JKEHNZDx2DqLyXo7BkJ7ZZnQfRrFs5ylm6W/A1NwkcXP6q3A8zqCtjjksR:yZf6kEHNZDxPeykllA8zqCV
                                                                                                                                                                                                                                        MD5:A23E230EF7F6C598585F4107ED576F0C
                                                                                                                                                                                                                                        SHA1:0CA4E19596176826CB60616715250323B1843B22
                                                                                                                                                                                                                                        SHA-256:B81320AEE7E1BA5014D85ED4B8857108F550DE821EEB42308140C472BDB8EE39
                                                                                                                                                                                                                                        SHA-512:07AC5571F7F12D7007C9208109713B867F277BCA9570A0A2F54257659CB1F678F921666A21C3422987999EA0C8C5BF6B89DE4CADDA6F51064157CCDFF8AEEB51
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.................%..M....K.......d.......d..$....d..%....e.."...Ae......de.......e..=....e..'....e..>....f..I...@f..&....f.......f..%....f..\....f..@...Og..:....g..>....g..<....h..$...Gh......lh.......h.......h.......h..!....h.. ....i..!...)i......Ki......ii.......i.......i.......i.......i.......i.......j......,j......Jj......cj......}j.......j.......j.......j.......j.......j.......k......9k......Yk......rk.......k.......k.......k.......k.......l......!l......<l......\l......{l.. ....l.."....l.......l.......l..7....n..2....n..P....o..E...bo..6....o.......o.......o.......o.......p.......p......*p......6p......Dp......Pp......^p......kp......zp.......p.......p.......p.......p.......p.......p.......q.......q.......q.......q......=q......Kq......Vq......bq......qq.......q.......q.......q..'....q..&....q..#....q..$....r..7...<r......tr.. ....r.......r..S....r.......s..e...7s..&....s.......s.......s.......s..!....t..!...?t.. ...at..#....t..I....t..L....t..-...=u......ku......|u.......u......

                                                                                                                                                                                                                                        C:\Program Files\BitComet\lang\bitcomet-ne.mo

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:GNU message catalog (little endian), revision 0.0, 459 messages, Project-Id-Version: bitcomet '\340\244\244\340\245\213\340\244\260\340\245\207\340\244\250\340\245\215\340\244\244 \340\244\226\340\245\213\340\244\262\340\244\250\340\244\276 \340\244\270\340\244\225\340\244\277\340\244\257\340\245\207\340\244\250\340\244\276'
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):50942
                                                                                                                                                                                                                                        Entropy (8bit):5.360270094955925
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:oksP3MUlBS32O/bDqLyXo7KBkJ7ZEEOEuMR+:oksPcUibDqLyXo7KBkJ7ZEEOEuMR+
                                                                                                                                                                                                                                        MD5:817007B32AFD44F2499F8BD5692D5450
                                                                                                                                                                                                                                        SHA1:498BF7BCFD39569CB42553F1430C031D619FBC09
                                                                                                                                                                                                                                        SHA-256:B10C609012E169DEAD0A466AF438ECCCECB423CB8A98402E67ECD07CC07ED209
                                                                                                                                                                                                                                        SHA-512:8071D727B5031BE2A1EFB73E3685F7F4A6A6EC6F70855525580FAB8929F611EA8F9F6798E2F51AA08CB8FAE4ACB57943DEC54444307C0E645BCFF4173270141D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................t...e...........`&..$...a&..%....&.......&..=....&..I....'..&...T'......{'..%....'.......'.......'.......'.......(.......(......4(......O(......l(.......(.......(.......(.......(.......(.......)....../)......L)......g)......u).......).......).......).......).......).......).......).......).......).......).......*......#*......-*......<*......J*......U*......a*......p*.......*..$....*..7....*.......*.. ....+......"+......8+......S+..I...r+..L....+..-....,......7,......H,......[,......o,.......,.......,.......,.......,..4....,......&-..#...?-..6...c-..&....-.......-.......-.......-..............4.......Q.......n..................."............... ..../..*...'/..&...R/..8...y/..*..../..%..../..!....0..&...%0.."...L0..+...o0.......0..!....0..%....0..'....1.. ...+1..#...L1......p1.......1.......1.......1.......1.......1.......2.......2......22..!...Q2..!...s2.......2.......2.......2.......2.."....3..?...)3..3...i3..N....3..J....3..!...74..6...Y4..@....4..e....4......75......

                                                                                                                                                                                                                                        C:\Program Files\BitComet\lang\bitcomet-nl.mo

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:GNU message catalog (little endian), revision 0.0, 2545 messages, Project-Id-Version: BitCometGUI 'DHT Torrents importeren'
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):248494
                                                                                                                                                                                                                                        Entropy (8bit):5.446636018482935
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:7bGCOjmKJ/Y+NP4DqL+yXo7KBk7ZFtNnbrF1tTvDv8s6v+qyZlu0U:7XOjmY/YeANdDv8b7
                                                                                                                                                                                                                                        MD5:9BC9463FCEC2D34474EF9BAFC40E1992
                                                                                                                                                                                                                                        SHA1:5FFC9D176AB3CC3F9A36D7D7427E686D03C8A7CF
                                                                                                                                                                                                                                        SHA-256:0733BF618BFD2D2B86F9C028C186047217438747FD496009B20A5378DA86E559
                                                                                                                                                                                                                                        SHA-512:77CEF769D8D3B27E2811D0D4192C7BCBCE68627C1B78FF9EB7ECFC4DD4EC6AB6B6707A4F61555262142F8251646AAAE9030C0C38E86C3A3FB71149F5BC78FF8D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.................O..O...,.......h...%...i...%.......+.......(.......&.......)...1...#...[...#.......).......&.......$.......'...........A..."...p...;.......&...............$.......!...0...%...R..."...x..................."...............'.......>...6...I...u...".......&...............9...%...<..._...7...............%.......'.......6...=...P...t...S.......\.......@...v...:.......4.......8...'...>...`...<.......B.......$...........D.......`...........#.......................................!...=... ..._...!.......................!...............)...!.......K.......e.......y...........................#.......$......."...9.......\.......p...................".......J...........4.......P.......n.......................................................*.......F.......c...........................8...................+.......C.......`...O...}...............N.......n...=...................................#... ...C..."...d...........P.......E.......6...<.......s.......................................

                                                                                                                                                                                                                                        C:\Program Files\BitComet\lang\bitcomet-pl.mo

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:GNU message catalog (little endian), revision 0.0, 2545 messages, Project-Id-Version: BitCometGUI 'Importowanie torrent\303\263w DHT'
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):253222
                                                                                                                                                                                                                                        Entropy (8bit):5.626382294338953
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:7bGCO9tyaACuPJJ/Y+NP4DqL+yXo7KBk7ZFtNnbrF1tTvDvwFFTzGRO8y:7XO/zuH/YeANdDvqqROX
                                                                                                                                                                                                                                        MD5:71886C466B2E3DA5861E2D0C9DBC18D2
                                                                                                                                                                                                                                        SHA1:95E57CFCAB439F7CFE9E459787126FB986F97912
                                                                                                                                                                                                                                        SHA-256:0C1BDB452ACADA6C2C87304D058C55C1E06E42C899C17FF81996B687F8DBCF8E
                                                                                                                                                                                                                                        SHA-512:33ECC54464878B69401B95554A591A36441E61758A8847F7EA5BAB0A6629C6B5CC3D47141AC78C1749CFE4B2E949538ECA32A9A2C251AD1BC868B6D5C57DC3AB
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.................O..O...,.......h...%...i...%.......+.......(.......&.......)...1...#...[...#.......).......&.......$.......'...........A..."...p...;.......&...............$.......!...0...%...R..."...x..................."...............'.......>...6...I...u...".......&...............9...%...<..._...7...............%.......'.......6...=...P...t...S.......\.......@...v...:.......4.......8...'...>...`...<.......B.......$...........D.......`...........#.......................................!...=... ..._...!.......................!...............)...!.......K.......e.......y...........................#.......$......."...9.......\.......p...................".......J...........4.......P.......n.......................................................*.......F.......c...........................8...................+.......C.......`...O...}...............N.......n...=...................................#... ...C..."...d...........P.......E.......6...<.......s.......................................

                                                                                                                                                                                                                                        C:\Program Files\BitComet\lang\bitcomet-pt.mo

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:GNU message catalog (little endian), revision 0.0, 2545 messages, Project-Id-Version: BitCometGUI 'Importa\303\247\303\243o de torrents DHT'
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):252476
                                                                                                                                                                                                                                        Entropy (8bit):5.4765709272212835
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:7bGCOtz67J/Y+NP4DqL+yXo7KBk7ZFtNnbrF1tTvDvsOnJ5cOR+GBafNGb3DTj5:7XOt+/YeANdDvvSGBa+
                                                                                                                                                                                                                                        MD5:8FE886E39E59B81CC117CF625AF002AE
                                                                                                                                                                                                                                        SHA1:40F67A1C229C4E8A32022459C4CCFEE88EB940A8
                                                                                                                                                                                                                                        SHA-256:883E1906DED7D93A435E39002CD502B63B0D101C9E056C76339478FBE87FBD9A
                                                                                                                                                                                                                                        SHA-512:6E2757191B811DB5CE52CA5AA1E785EF979634D409A6A210AD45B38C5D51E0A8EB876D1D5B73551439A2BA2E16EFC1B98D644FCCAD53780C910F58A08FDAE37C
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.................O..O...,.......h...%...i...%.......+.......(.......&.......)...1...#...[...#.......).......&.......$.......'...........A..."...p...;.......&...............$.......!...0...%...R..."...x..................."...............'.......>...6...I...u...".......&...............9...%...<..._...7...............%.......'.......6...=...P...t...S.......\.......@...v...:.......4.......8...'...>...`...<.......B.......$...........D.......`...........#.......................................!...=... ..._...!.......................!...............)...!.......K.......e.......y...........................#.......$......."...9.......\.......p...................".......J...........4.......P.......n.......................................................*.......F.......c...........................8...................+.......C.......`...O...}...............N.......n...=...................................#... ...C..."...d...........P.......E.......6...<.......s.......................................

                                                                                                                                                                                                                                        C:\Program Files\BitComet\lang\bitcomet-pt_BR.mo

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:GNU message catalog (little endian), revision 0.0, 2545 messages, Project-Id-Version: BitCometGUI 'Importa\303\247\303\243o de torrents DHT'
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):253214
                                                                                                                                                                                                                                        Entropy (8bit):5.479081011200795
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:7bGCOcoOyzJ/Y+NP4DqL+yXo7KBk7ZFtNnbrF1tTvDvyt0kh+5NcudV5+rZa8fXa:7XOcLyt/YeANdDvI1M5LV5+rZa8S
                                                                                                                                                                                                                                        MD5:31673DE71ED188E812C4BEDA7CEC3582
                                                                                                                                                                                                                                        SHA1:BDBDB44E93734FB95E253DE06C09BAB732239848
                                                                                                                                                                                                                                        SHA-256:4335132EB01020F314259E4C0D548A3696906166E736B6EC8FCDA3DACFBC046D
                                                                                                                                                                                                                                        SHA-512:4B20A7AD4A68F3D427037917863BDDECD97C72CA0F746E26874799BCDCA250AC925311084FDEB3AD178C49B37839CF3BB45410F1EE3384851CB290FFA3BB3399
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.................O..O...,.......h...%...i...%.......+.......(.......&.......)...1...#...[...#.......).......&.......$.......'...........A..."...p...;.......&...............$.......!...0...%...R..."...x..................."...............'.......>...6...I...u...".......&...............9...%...<..._...7...............%.......'.......6...=...P...t...S.......\.......@...v...:.......4.......8...'...>...`...<.......B.......$...........D.......`...........#.......................................!...=... ..._...!.......................!...............)...!.......K.......e.......y...........................#.......$......."...9.......\.......p...................".......J...........4.......P.......n.......................................................*.......F.......c...........................8...................+.......C.......`...O...}...............N.......n...=...................................#... ...C..."...d...........P.......E.......6...<.......s.......................................

                                                                                                                                                                                                                                        C:\Program Files\BitComet\lang\bitcomet-ro.mo

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:GNU message catalog (little endian), revision 0.0, 1505 messages, Project-Id-Version: BitCometGUI 'Fila desc\304\203rcat\304\203 lipse\310\231te.'
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):151953
                                                                                                                                                                                                                                        Entropy (8bit):5.482445008207694
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:zeLq8cV3FvhDqLyXo7KBkJ7ZaMUfRrFsw448BpQxh7wpAY:zeOVV3FvFF8BpywpAY
                                                                                                                                                                                                                                        MD5:DA11A30FC8034D2547D1369BF973D834
                                                                                                                                                                                                                                        SHA1:EEFB02A88D3C671C0D0A7B8B111E02756F0557AD
                                                                                                                                                                                                                                        SHA-256:2678BDC488BFD5F532B5E22BE6748D36585CF7E1D11F8CD279626EC61D4D64EC
                                                                                                                                                                                                                                        SHA-512:9E7F27C1FB53560FEE21695DD42FABBE01A543E73BB869EF4C1F486B9175AA3521F3277A324CCB95060146CBA5AF8EFA09C2F046A47BA9F19A19CAF4D09CBA77
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................$/......,^.......}..&....}.......}..$....}..%....}.."... ~......C~......c~..=...z~.......~..'....~..>....~..I...8...&.......7...............%.......6..."...P...Y...S.......\.......@...[...:.......4......8.......>...E...<.......B.......$...........)...#...I.......m...................!...... ......!...........,.......J.......j.........................................$......."...*.......M.......a.......|.....................................................7.......R.......o.....................................................8.......R.......j......................................... ...#..."...D.......g...........7.......2...f...P.......E......6...0.......g.......u............................................................................................&.......B.......P.......n.......|...........................6..................................'.......8.......C.......N.......Z...'.......&.......#......$.......7...!.......Y... ...q...........S...........

                                                                                                                                                                                                                                        C:\Program Files\BitComet\lang\bitcomet-ru.mo

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:GNU message catalog (little endian), revision 0.0, 2545 messages, Project-Id-Version: BitCometGUI '\320\230\320\274\320\277\320\276\321\200\321\202 \321\202\320\276\321\200\321\200\320\265\320\275\321\202\320\276\320\262 DHT'
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):306379
                                                                                                                                                                                                                                        Entropy (8bit):5.758175345275783
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:7XOpDZf0/YeANdDvZ/+vdMwjqEjkakOZSWduaSZOCnPo1AnJMA/9pJl4TtR5u3j:7XeB/nrRWvdMwjqPaVSWduaSZOCnPo1+
                                                                                                                                                                                                                                        MD5:14D956AAE217A45A945FDAA27DE29DEA
                                                                                                                                                                                                                                        SHA1:A21463E6755DBC0B948ADA85A4EC5064E6614B39
                                                                                                                                                                                                                                        SHA-256:313FB84AA96621A550B6EC11F143437DD2B38F527659F4BA24D49A08AA17F596
                                                                                                                                                                                                                                        SHA-512:D6937107D52FD96BB85D6BFBFB876E296844D8210C2F87FB5F125F08A45792D0F3833B19F395FA36E0F3573BA757F65C0E87D1440BADDE378D3EC25AE9B7A3DD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.................O..O...,.......h...%...i...%.......+.......(.......&.......)...1...#...[...#.......).......&.......$.......'...........A..."...p...;.......&...............$.......!...0...%...R..."...x..................."...............'.......>...6...I...u...".......&...............9...%...<..._...7...............%.......'.......6...=...P...t...S.......\.......@...v...:.......4.......8...'...>...`...<.......B.......$...........D.......`...........#.......................................!...=... ..._...!.......................!...............)...!.......K.......e.......y...........................#.......$......."...9.......\.......p...................".......J...........4.......P.......n.......................................................*.......F.......c...........................8...................+.......C.......`...O...}...............N.......n...=...................................#... ...C..."...d...........P.......E.......6...<.......s.......................................

                                                                                                                                                                                                                                        C:\Program Files\BitComet\lang\bitcomet-sk.mo

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:GNU message catalog (little endian), revision 0.0, 1489 messages, Project-Id-Version: BitCometGUI 'Stiahnut\303\275 s\303\272bor ch\303\275ba.'
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):148591
                                                                                                                                                                                                                                        Entropy (8bit):5.624139854250813
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:ueGoKWWghWQz5y35CTDqLyXo7KBkJ7ZoTdfRrFsL4atXiQ7jgrxKSZMO:phZWcWp35ClpaSh
                                                                                                                                                                                                                                        MD5:4C5F7A647C7C4F9B364670F7543C22D2
                                                                                                                                                                                                                                        SHA1:7CCF4100FCB7926E43952B14E0583797A465ACF3
                                                                                                                                                                                                                                        SHA-256:E10D45356C41CAFD990F274C60F5BBAFAD2C980F33352D9A8A0FE67C4F97F942
                                                                                                                                                                                                                                        SHA-512:1A21AEF3D20827CF81770DCA54799BEC0FF486D9FF688D1077D89998C0334B68D19C35E5C8127C1373EE6E8ACC37FCBC38218C7907EFCCD862AA352DBD790675
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................,]......8|..&...9|......`|..$...u|..%....|.."....|.......|.......}..=....}......X}..'...q}..>....}..I....}..&..."~..7...I~.......~..%....~..6....~..P....~..S...J...\.......@.......:...<...4...w...8.......>......<...$...B...a...$..............#..................).......H...!...g... .......!.................................).......C...$...`..."..................................................3.......M.......d.......~.............................................).......B.......a.....................................................&.......F.......e... .......".....................7.......2......P.......E...L...6....................................................... ...............:.......H.......U.......d.......{.....................................................................).......8...6...F.......}..................................................'.......&..."...#...I...$...m...7.............. ..............S...........m...e.......&...

                                                                                                                                                                                                                                        C:\Program Files\BitComet\lang\bitcomet-sl.mo

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:GNU message catalog (little endian), revision 0.0, 274 messages, Project-Id-Version: BitCometGUI 'Prene\305\241ena datoteka je pogre\305\241ana.'
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20791
                                                                                                                                                                                                                                        Entropy (8bit):5.25757244168817
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:LTFWj89XFQtLlcrnGS3j6FhlDyXo7Kk3CnTtY1mnb3KanRL+gePt9cT5M:LTFWVtLlcrnGS3j6DyXo7KkynTt7zb3C
                                                                                                                                                                                                                                        MD5:DECDEADFD1148DC4F19C8DB430AE3C65
                                                                                                                                                                                                                                        SHA1:E0CF96C47B1CD7D284FAFC94CFFB7526204352B9
                                                                                                                                                                                                                                        SHA-256:7884D9F367A6797033F27EE9537BB3F9D3CE8EAAEBD9177096796CEA20EDD5D6
                                                                                                                                                                                                                                        SHA-512:210B4D320877BC9B4EF365C18DF0FB7D19601191CB08DE319874D05C4AF4DF6B5788ED9A25DE27F5003F71BB5E6134F28A399FC27F9D5BFEC5311AF46EF48611
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:....................o...<...........&.......$... ...%...E..."...k...........=...............>.......I...D...&...............%.......\...........S.......o........... .......!...........................(.......@.......].......v.......................................................6.......Q......._.......m.......................................................................................................".......3...'...>...7...f...........................I.......L...8...-................................................... .......>...4...\...........#.......6.......&...........,.......I.......h...........................................".... ......6 .. ...U ..*...v ..&.... ..8.... ..*....!..%...,!..!...R!..&...t!.."....!..+....!.......!..!...."..%...,"..'...R".. ...z"..#....".......".......".......".......#.......#......5#......O#......j#.......#.......#.......#..!....#..!....#.......$......9$......V$......q$.."....$..?....$..3....$......!%......<%..-...\%..O....%.......%.......%..!...

                                                                                                                                                                                                                                        C:\Program Files\BitComet\lang\bitcomet-sq.mo

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:GNU message catalog (little endian), revision 0.0, 1100 messages, Project-Id-Version: BitCometGUI 'Hapja e Torrentit D\303\253shtoi'
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):103737
                                                                                                                                                                                                                                        Entropy (8bit):5.427063921692318
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:9fTxmaj6uJlDqLyXo7KBkJ7Z/DLnRrFMq8i:9fTP6uJyT8i
                                                                                                                                                                                                                                        MD5:AA4E502B588DF06915701FBADF9982B8
                                                                                                                                                                                                                                        SHA1:2EB8762DE7C7AFB7079786A2139B24422110433C
                                                                                                                                                                                                                                        SHA-256:F62117D7A6CE8AF0DC8911FDB5029D9A5176AE01F7F3FC9494B81EC0AF2940DA
                                                                                                                                                                                                                                        SHA-512:FADC2007E6DFA0585253FC322D1043BFAD6C18521D2ADC85409FFB393C86C4871A2F528727D2779D662D315ADEFA8C5556D97491F03B1DE71D26E934837BF690
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........L.......|".......D.......[..$....[..%....[.."...$\......G\..=...g\..I....\..&....\.......]..%...1]..\...W].......].......].......].......^..!....^.. ...P^..!...q^.......^.......^.......^.......^......._......._......8_......S_......p_......._......._......._......._......._.......`......)`......F`......_`......|`.......`.......`.......`.......`.......a......)a......Aa......^a......{a.......a.......a.......a.......a.......b..7...3b..2...kb.......b.......b.......b.......b.......b.......b.......b.......c.......c.......c......-c......Dc......Qc......mc......{c.......c.......c.......c..6....c.......c.......d.......d......!d......2d..'...=d..&...ed..#....d..$....d..7....d.......e.. ...%e......Fe......\e..&...|e.......e.......e.......e..I....e..L...Ff..-....f.......f.......f.......f.......f.......g.......g......Lg......jg..4....g.......g..#....g..6....g..&...1h......Xh......uh.......h.......h.......h.......h.......i.......i......<i.."...[i......~i..*....i..&....i..8....i..*...(j..%...

                                                                                                                                                                                                                                        C:\Program Files\BitComet\lang\bitcomet-sr.mo

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:GNU message catalog (little endian), revision 0.0, 381 messages, Project-Id-Version: BitCometGUI '\320\236\321\202\320\262\320\260\321\200\320\260\321\232\320\265 \321\202\320\276\321\200\320\265\320\275\321\202\320\260 \320\275\320\270\321\230\320\265 \321\203\321\201\320\277\320\265\320\273\320\276'
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32831
                                                                                                                                                                                                                                        Entropy (8bit):5.642345028830651
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:55yYsAnulmXrnAzS3jyOMcyXo7KkVN2FKhrC49n/+Et:55tnulmXrnoS3WOVyXo7KkVNPp9n/+Et
                                                                                                                                                                                                                                        MD5:A5179B2B8F433114C545C73159ED7CC8
                                                                                                                                                                                                                                        SHA1:AC2934E7B9CD54F796E17A07BE24E191802A3F13
                                                                                                                                                                                                                                        SHA-256:07BA4D10A5F74DB6B4E80C3F81A91BA713AA85DB8DB5D609BADE54FE40241ED7
                                                                                                                                                                                                                                        SHA-512:DAD935946E461F7407FC2507239470BA05511E31B4A4E3F0305D96452EE0547542E6C1CC8C8897B2EFE411E079786366E9243C6885B78DF695BEA9435FA0F343
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........}...........................$.......%.... .."..., ......O ..=...o ..I.... ..&.... .......!..%...9!..\..._!..@....!..:....!......8"......X"......t"......."..!....".. ...."..!....".......#......5#......T#......n#.......#.......#.......#.......#.......#.......$...... $......7$......Q$......l$.......$.......$.......$.......$.......$.......%......4%......R%......l%.......%.......%.......%.......%.......%.......&......8&......X&..6...v&.......&.......&.......&.......&.......&.......&.......'.......'.......'......)'......6'......E'......\'......i'......s'.......'.......'.......'.......'.......'.......'..'....'..&....'..#...!(..7...E(......}(.. ....(.......(..S....(...... )..e...@)..&....).......).......).......*..I...&*..L...p*..-....*.......*.......*.......+......#+......4+......N+......i+.......+.......+..4....+.......+..#....,..6...5,..&...l,.......,.......,.......,.......,.......-......#-......@-......Y-......w-.."....-.......-.. ....-..*....-..&...$...8...K...*.......%.......!...

                                                                                                                                                                                                                                        C:\Program Files\BitComet\lang\bitcomet-sv.mo

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:GNU message catalog (little endian), revision 0.0, 1500 messages, Project-Id-Version: BitCometGUI 'Nedladdad fil saknas.'
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):147016
                                                                                                                                                                                                                                        Entropy (8bit):5.491405453248565
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:pvRY8mBmIPW938E7DqLyXo7BkJ7Z+MUfRrFsw44ndAHPp/AAEZM:pppWmUa38EeFnA3EZM
                                                                                                                                                                                                                                        MD5:91FCEE0395D04D7944070E2F26A5E159
                                                                                                                                                                                                                                        SHA1:AFADB2F947093BD941D6A6AF4EBA121DABF51BD3
                                                                                                                                                                                                                                        SHA-256:7A90EA29E731B51D0722440B27155504D151FE9F43E19B23CC1035F8E2D04C78
                                                                                                                                                                                                                                        SHA-512:2F6D344D664E4DB6381EC6FA82314949F6F9D38426721ABEABD5A1F9AA888D30FD6D9CEF39FD4764D762686BE0B9A77CB56F2BA2BF2923CEF4213BFA5620C538
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.........................]......(}..&...)}......P}..$...e}..%....}.."....}.......}.......}..=....~......H~..'...a~..>....~..I....~..&.......7...9.......q...%.......6.......P.......S...:...\.......@......:...,...4...g...8.......>......<.......B...Q...$...............#..........................8...!...W... ...y...!..........................................3.......P...$...i...".........................................".......9.......S.......n......................................................6.......T.......l............................................. ... ...@..."...a...................7...K...2.......P.......E.......6...M...................................................................................................6.......B.......O.......k.......y........................................................6...........B.......M.......Y.......h.......y...........................'......&......#.......$...=...7...b........... ..............S..........=...e...]...&...

                                                                                                                                                                                                                                        C:\Program Files\BitComet\lang\bitcomet-ta.mo

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:GNU message catalog (little endian), revision 0.0, 121 messages, Project-Id-Version: bitcomet '\340\256\244\340\256\260\340\256\265\340\256\277\340\256\261\340\256\225\340\257\215\340\256\225\340\256\252\340\257\215\340\256\252\340\256\237\340\257\215\340\256\237 \340\256\225\340\257\213\340\256\252\340\257\215\340\256\252\340\257\201 \340\256\225\340\256\276\340\256\243\340\256\265\340\256\277\340\256\262\340\257\215\340\256\262\340\257\210.'
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):13075
                                                                                                                                                                                                                                        Entropy (8bit):5.2715582084148975
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:XiGbIhhHIZObKnYKTJY6PXrnmJnkTMXDFmoyX1ElPZwlb6lj5+BGXMg8wBHzX7se:XTUP2+KfXrniHhmDlZAB7CabJl
                                                                                                                                                                                                                                        MD5:BC079B7D77F12E6C973C83F909B3F3BF
                                                                                                                                                                                                                                        SHA1:FD5DD2D6473598455A8B3BC694ED724A63C7F027
                                                                                                                                                                                                                                        SHA-256:2863DBD88E7F409DF2D9A4A313E85051D20202B0FEEEF318BB8DA774A6D77112
                                                                                                                                                                                                                                        SHA-512:F4289635C34F58E85BD2A1D8FB6354615BA7F5C4B7355DAFF8392FE075D74887590B69D64E08345086CA998FB8D701F09B90B240CBBB82B173958F520143CE8B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........y.......................8...&...9.......`.......u...=...............>.......I..."...&...l...7...............%.......6.......P...C...\.......@...........2.......R.......n...........!....... .......!.................../.......O.......n...................$......."...................#.......?.......].......w.......................................................3.......L.......k.......................................................0.......P.......o... ......."...............P.......6...B.......y...............................................................................................*.......6.......C......._.......m...................................................................................'.......7...6.......n...........I.......L.......-...?.......m.......~...................................................4...'.......\...#...u...6.......&...........................3.......N.......k..........................."............... ... ...*...A...&...l...8.......*.......(...

                                                                                                                                                                                                                                        C:\Program Files\BitComet\lang\bitcomet-th.mo

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:GNU message catalog (little endian), revision 0.0, 2545 messages, Project-Id-Version: BitCometGUI '\340\270\201\340\270\262\340\270\243\340\270\231\340\271\215\340\270\262\340\271\200\340\270\202\340\271\211\340\270\262\340\270\227\340\270\255\340\270\243\340\271\214\340\271\200\340\270\243\340\270\231\340\270\225\340\271\214 DHT'
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):352562
                                                                                                                                                                                                                                        Entropy (8bit):5.4991702275441225
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:7XOew0BWTb/YeANdDvGTx9RGD404s1tR9+JQJaA19YULb4ikT:7X95nr+Tx9RGD40V1tR9+JQJaA19Fbd8
                                                                                                                                                                                                                                        MD5:A2B9034CB942031927267F356CAFB1FA
                                                                                                                                                                                                                                        SHA1:B755A533BCE9C39A935F915A47303288FA63F21D
                                                                                                                                                                                                                                        SHA-256:C0B2AAB472277D9F3698FE9EF2AE7AFBEA3D75CD495451429BBCFE29E3047986
                                                                                                                                                                                                                                        SHA-512:4599A03E674B2D4843DD6A3C3138F3C69234FC484DEC14535378EEA6287F158C853F4287E900E209AA562EBF43E56687AD7903ADCF00708E773954EE46FF4F26
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.................O..O...,.......h...%...i...%.......+.......(.......&.......)...1...#...[...#.......).......&.......$.......'...........A..."...p...;.......&...............$.......!...0...%...R..."...x..................."...............'.......>...6...I...u...".......&...............9...%...<..._...7...............%.......'.......6...=...P...t...S.......\.......@...v...:.......4.......8...'...>...`...<.......B.......$...........D.......`...........#.......................................!...=... ..._...!.......................!...............)...!.......K.......e.......y...........................#.......$......."...9.......\.......p...................".......J...........4.......P.......n.......................................................*.......F.......c...........................8...................+.......C.......`...O...}...............N.......n...=...................................#... ...C..."...d...........P.......E.......6...<.......s.......................................

                                                                                                                                                                                                                                        C:\Program Files\BitComet\lang\bitcomet-tr.mo

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:GNU message catalog (little endian), revision 0.0, 1498 messages, Project-Id-Version: BitCometGUI '\304\260ndirilen dosya bulunamad\304\261.'
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):147529
                                                                                                                                                                                                                                        Entropy (8bit):5.5874451311886855
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:QhH1dtrCSFv3lEnDqLyXo7BkJ7ZPaUfRrFsL4UV2Qmo2u++OAI/S:QZtp3lEppUV2Qj/VOAI/S
                                                                                                                                                                                                                                        MD5:1E5BCB8B3360FB8E6B070C1654F2D517
                                                                                                                                                                                                                                        SHA1:D25099C20C913007CA09A9881C93F8CCEB0F395C
                                                                                                                                                                                                                                        SHA-256:DE77F98F1DA1333AC0A90A975EC844382CB54529752F5F9515B8C30C12DEDD86
                                                                                                                                                                                                                                        SHA-512:FB5666984BA0318B85C5D3B23520E8068EC75CF58E46936E8E0727F872CF5BB510A4D0BF63003302951451EC034537EF9F7214775891F4F0757BD0EA8A50E838
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.........................].......|..&....|.......}..$...-}..%...R}.."...x}.......}.......}..=....}.......~..'...)~..>...Q~..I....~..&....~..7...........9...%...T...6...z...P.......S.......\...V...@.......:......4.../...8...d...>.......<......B.......$...\...........#.............................!....... ...A...!...b.........................................$......."...=.......`.......{.....................................................6.......Q.......n......................................................7.......Q.......i................................................. ...=..."...^...................7...H...2.......P.......E.......6...J...................................................................................................'.......>.......J.......W.......s................................................................6...........J.......U.......a.......p...................................'......&.......#...!...$...E...7...j........... ..............S...

                                                                                                                                                                                                                                        C:\Program Files\BitComet\lang\bitcomet-ug.mo

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:GNU message catalog (little endian), revision 0.0, 1523 messages, Project-Id-Version: bitcomet '\332\206\333\210\330\264\333\210\330\261\332\257\333\225\331\206 \332\276\333\206\330\254\330\254\333\225\330\252 \331\212\331\210\331\202\330\247\331\204\330\272\330\247\331\206.'
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):187783
                                                                                                                                                                                                                                        Entropy (8bit):5.837738359094332
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:KBKKK5Qb6GZw3ApnDqLyXo7KBkJ7ZGMUfRrFsw44h7id2xMp0Z/fzgftA/9rdw87:KO58w3ApzFh7id2xMp0Z/fzgftA/9rdR
                                                                                                                                                                                                                                        MD5:58B72181CC6A24F88BAB3CC1D6051D95
                                                                                                                                                                                                                                        SHA1:21FA0D682AAC54178030C5FE57FED276D7944407
                                                                                                                                                                                                                                        SHA-256:FF56E120FB4147FB9A7D2087350A6236C4BD65D6C37F2BE50171EFC4CBFAE5D0
                                                                                                                                                                                                                                        SHA-512:041E3E34177F5A3F769DD0217065C787D57186FB380A1DD50185812DDBA52D90D7B7F0BD1EEDF3EE33A7D1A838A8051B6A17BE97D8EA9F16D13D686F6A54C5D3
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................./......L_......(...&...).......P...$...e...%.......".......................=...........H...'...a...>.......I......&.......7...9.......q...%.......6.......P......S...:...\.......@......:...,...4...g...8.......>......<.......B...Q...$...............#..........................8...!...W... ...y...!..........................................3.......G.......d...$...}..."........................................-.......K.......d.......~.....................................................:.......Z.......s.....................................................<.......W.......w........... ......."......................7.......2.......P...,...E...}...6..................................%.......:.......E.......P.......\.......j.......v............................................................................&.......;.......E.......T.......o.......~...6...................................................................'...K...&...s...#.......$.......7..........

                                                                                                                                                                                                                                        C:\Program Files\BitComet\lang\bitcomet-uk.mo

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:GNU message catalog (little endian), revision 0.0, 780 messages, Project-Id-Version: BitCometGUI '\320\237\320\276\320\274\320\270\320\273\320\272\320\260'
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):79211
                                                                                                                                                                                                                                        Entropy (8bit):5.677998258340325
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:ZG4aA3lXXrnScS3WOc9BtDqLyXo7KBkJ7ZLwTEYcItP5cv994:r73ZtDqLyXo7KBkJ7ZLaKa5uE
                                                                                                                                                                                                                                        MD5:D54C08FDFFB9DA36B8AC1A64DB5AF39C
                                                                                                                                                                                                                                        SHA1:10961F66D4744504CE400C6F68EFBBC107D02D71
                                                                                                                                                                                                                                        SHA-256:2AA0300E8F0D4AC2E9EDE959EA38BF8488711B4A4B7D54F58213911FBDACF5AA
                                                                                                                                                                                                                                        SHA-512:30767030C9EFF7888A6F713EF273CF8177DFE0F53C952F7A6596F6F40A79D6F1F3EA8356A4C49D7DE7CAB7DD52BD170CC3044472BB959CB2F38420979907AFDD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................|........0......@A......AA..$...VA..%...{A.."....A.......A.......A..=....A......9B..'...RB..>...zB..I....B..&....C......*C..%...EC..\...kC..@....C..:....D..$...DD......iD.......D.......D.......D..!....D.. ....E..!...&E......HE......fE.......E.......E.......E.......E.......E.......F.......F......9F......UF......sF.......F.......F.......F.......F.......F.......G......,G......IG......iG.......G.......G.......G.......G.......G.......H......+H......KH......fH.......H.......H.......H..P....H..E...4I..6...zI.......I.......I.......I.......I.......I.......I.......J.......J......!J......-J......;J......HJ......WJ......nJ......{J.......J.......J.......J.......J.......J.......J.......J..6....K......DK......OK......[K......jK......{K.......K.......K..'....K..&....K..#....K..$....L..7...5L......mL.. ....L.......L.......L..e....L..&...BM......iM.......M.......M..,....M..!....M..2....N.. ...DN..#...eN..I....N..L....N..-... O......NO......_O......rO.......O.......O.......O.......O......

                                                                                                                                                                                                                                        C:\Program Files\BitComet\lang\bitcomet-ur.mo

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:GNU message catalog (little endian), revision 0.0, 95 messages, Project-Id-Version: bitcomet '\330\247\333\214\332\251 \331\206\333\214\330\247 \331\206\330\263\330\256\333\201/\331\210\330\261\332\230\331\206 ${VERSION_TEXT} \330\257\330\263\330\252\333\214\330\247\330\250 \333\201\333\222\333\224'
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):10459
                                                                                                                                                                                                                                        Entropy (8bit):5.7319741588424815
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:hP5/5fgyxuLVTMXS3jMITN6UImqC6uGNR3Zesy0e/KUJkN7el8Pxx4H:V5/5YZLqS3jMD1mV6nL3sPChelvH
                                                                                                                                                                                                                                        MD5:CE62B7876A009D1A98BFD36567A3D5E7
                                                                                                                                                                                                                                        SHA1:1FFFF24B1C44A94C2DFF98CD4EB3D91062DBDD41
                                                                                                                                                                                                                                        SHA-256:28688730B3CD989A4DB822DE95B4846FF49F29B7FDA684C81912657F5A81575B
                                                                                                                                                                                                                                        SHA-512:F36FD7505910A293903A4CAFA4502303E8013447F3D14A7ADB70858CBBFE4EB3D8F24EC6CEA2B331D5266F380B994C0FC6EB5EC03912BEB573472045992ECD91
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........_...........................=.......&...G.......n.......|...............................................................................................$.......0.......?.......P...'...[...7.......................I.......L...?...-...........................................................8.......V...4...t...........#.......6.......&...........D.......a..................................................."...+.......N... ...m...*.......&.......8.......*.......%...D...!...j...&.......".......+...............!..."...%...D...'...j... .......#...................................".......7.......M.......h...................!.......!...........................9.......T..."...m...?.......3.......N.......J...S...6.......N.......$...$...D...I...6.......#.......................a.......%.......C...!...F...e...................1...........................&.......0.......D.......S...H...i...........................................................3...........<...!...P.../...r...............;...~...

                                                                                                                                                                                                                                        C:\Program Files\BitComet\lang\bitcomet-vi.mo

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:GNU message catalog (little endian), revision 0.0, 1044 messages, Project-Id-Version: BitCometGUI 'T\341\272\255p tin \304\221\303\243 t\341\272\243i b\341\273\213 m\341\272\245t'
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):108936
                                                                                                                                                                                                                                        Entropy (8bit):5.779130754606995
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:qgWBZvAY34RnDqLyXo7KBkJ7ZHMgfRrFsxYbMTF3CuhXfvcNiiMZQ1x5BXy:qgWbF34RKCV3FV5
                                                                                                                                                                                                                                        MD5:EE2AD1854064EA151409AB3103CE7AFD
                                                                                                                                                                                                                                        SHA1:43994BA96D40D199F69FDDBEA01B94E495C96FB1
                                                                                                                                                                                                                                        SHA-256:8649BBF23875A626D858E899010165003F8A8060CAAFC37553E2381F7CF9DA69
                                                                                                                                                                                                                                        SHA-512:E0A2644333E2805E67F5998A0B39D127A41901991FB26F0B7D26686DDDF6E6EAB0D03ACCCEC9D8F7EAECFB6D39FC7421FA0E1FB6016F6EABA35F93D5C7806955
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................. ..w...\A......8W..&...9W......`W..$...uW..%....W.."....W.......W.......X..=....X......XX..'...qX..>....X..I....X..&..."Y..7...IY.......Y..%....Y..6....Y..P....Y..S...JZ..\....Z..@....Z..:...<[..4...w[..8....[..>....[..<...$\..B...a\..$....\.......\..#....\.......]......)]......H]..!...g].. ....]..!....].......].......].......^......)^......C^......`^..$...y^.."....^.......^.......^.......^......._......3_......M_......d_......~_......._......._......._......._.......`......)`......H`......f`.......`.......`.......`.......`.......`.......a......-a......La.. ...la.."....a.......a.......a..7...wc..2....c..P....c..E...3d..6...yd.......d.......d.......d.......d.......d.......d.......e.......e...... e......,e......:e......Ge......Ve......me......ye.......e.......e.......e.......e.......e.......e.......e.......f......%f......4f..6...Bf......yf.......f.......f.......f.......f.......f.......f.......f..'....g..&...)g..#...Pg..$...tg..7....g.......g.. ....g.......h..S... h......

                                                                                                                                                                                                                                        C:\Program Files\BitComet\lang\bitcomet-zh_CN.mo

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:GNU message catalog (little endian), revision 0.0, 2545 messages, Project-Id-Version: BitCometGUI '\346\255\243\345\234\250\345\257\274\345\205\245DHT\347\247\215\345\255\220\345\210\227\350\241\250'
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):237351
                                                                                                                                                                                                                                        Entropy (8bit):6.281631973551195
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:7bGCOyaAkhEJ/Y+NP4DqL+yXo7KBk7ZFtNnbrF1tTvDvDtyID4DaQwy:7XOyaAkh2/YeANdDvO7
                                                                                                                                                                                                                                        MD5:99AC5EF9344F65ABACF67CD64CE08BB0
                                                                                                                                                                                                                                        SHA1:6BC14B3110C0EDC44599B945AD537864359DF65B
                                                                                                                                                                                                                                        SHA-256:476B1149082BB59D2FE90FFF277C588CFB570EDD8CBC0FABDC7DA9C1A026E0D8
                                                                                                                                                                                                                                        SHA-512:06D2B7322C7842AFA82330565A977E26ED3E95697E2AF215C97991EECD24233977EDF05E57E3549734781F0578538822673CD3534CBC5FBCE920D388C3738531
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.................O..O...,.......h...%...i...%.......+.......(.......&.......)...1...#...[...#.......).......&.......$.......'...........A..."...p...;.......&...............$.......!...0...%...R..."...x..................."...............'.......>...6...I...u...".......&...............9...%...<..._...7...............%.......'.......6...=...P...t...S.......\.......@...v...:.......4.......8...'...>...`...<.......B.......$...........D.......`...........#.......................................!...=... ..._...!.......................!...............)...!.......K.......e.......y...........................#.......$......."...9.......\.......p...................".......J...........4.......P.......n.......................................................*.......F.......c...........................8...................+.......C.......`...O...}...............N.......n...=...................................#... ...C..."...d...........P.......E.......6...<.......s.......................................

                                                                                                                                                                                                                                        C:\Program Files\BitComet\lang\bitcomet-zh_TW.mo

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:GNU message catalog (little endian), revision 0.0, 2545 messages, Project-Id-Version: BitCometGUI '\346\255\243\345\234\250\345\260\216\345\205\245DHT\347\250\256\345\255\220\345\210\227\350\241\250'
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):236354
                                                                                                                                                                                                                                        Entropy (8bit):6.2632130790878815
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:7bGCOnQco6jGvJ/Y+NP4DqL+yXo7KBk7ZFtNnbrF1tTvDv+mbQaDXJ3V1+fs09g0:7XO+6iR/YeANdDvXbQaDXr1+z9g0
                                                                                                                                                                                                                                        MD5:34FFBEA12EAA350F626B821500FFBC0A
                                                                                                                                                                                                                                        SHA1:DDCB76544FE2C434D834DA9D4169F01872E497A6
                                                                                                                                                                                                                                        SHA-256:351C7FAE641B7BB64763456725223A36DF623FF629E31EA00ACFF37772FA6FDC
                                                                                                                                                                                                                                        SHA-512:126269286D7BE926940BB701D5268BD064B76FC91B6BADBF4F87158D888CCEE6B99DFEC73A2C4972225B7D22C7CFA06AF905568431655A92D5B4FD9BC3E8471F
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.................O..O...,.......h...%...i...%.......+.......(.......&.......)...1...#...[...#.......).......&.......$.......'...........A..."...p...;.......&...............$.......!...0...%...R..."...x..................."...............'.......>...6...I...u...".......&...............9...%...<..._...7...............%.......'.......6...=...P...t...S.......\.......@...v...:.......4.......8...'...>...`...<.......B.......$...........D.......`...........#.......................................!...=... ..._...!.......................!...............)...!.......K.......e.......y...........................#.......$......."...9.......\.......p...................".......J...........4.......P.......n.......................................................*.......F.......c...........................8...................+.......C.......`...O...}...............N.......n...=...................................#... ...C..."...d...........P.......E.......6...<.......s.......................................

                                                                                                                                                                                                                                        C:\Program Files\BitComet\tools\BitCometAgent_1.92.7.9.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):892456
                                                                                                                                                                                                                                        Entropy (8bit):6.672053011408752
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:13Nl5M13aSTbgmwPEEXeADIfNsZmMAQ/z:/M13LTsthXeADdZmMAQ/z
                                                                                                                                                                                                                                        MD5:2EBA751A1ED9D254D4E8DA5ECE436158
                                                                                                                                                                                                                                        SHA1:8556F3918506EC480902AC5C4B6DAE19E56EC50D
                                                                                                                                                                                                                                        SHA-256:32CAC384E0361A7538ACA9B31E50FF4BBE6666A0567B062083610643351BA1FB
                                                                                                                                                                                                                                        SHA-512:EDBDF5651B5CF9341D843AF982C5D14A2C53745D03F98296FD7EC5F7EAE83D172056C76B6EDDA1AA0F309B166B976D9C464CCFE5EDFFE4D828C9AB66BEA8A983
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        • Antivirus: Virustotal, Detection: 3%, Browse
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...................................@...........!..L.!This program cannot be run in DOS mode....$.......;.a?.|.l.|.l.|.lk..mz|.l...lo|.l...l.|.l...la|.l...mk|.l...l{|.l-..mf|.l...mv|.l-..m]|.lv..ly|.lv..lf|.l.|.lf}.l-..m;|.l...m\|.l...m~|.l...l~|.l.|.l~|.l...m~|.lRich.|.l........................PE..L......b...........!.................b...............................................................................................................z..($...0..`z......T...........................h...@............................................text............................... ..`.rdata..............................@..@.data....?.......,..................@....rsrc...............................@..@.reloc..`z...0...|..................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\BitComet\tools\BitCometBHO_1.5.4.11.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):767280
                                                                                                                                                                                                                                        Entropy (8bit):6.580074948779808
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:S8JeUxGFb+7HcvQ1Wlf1Si5YxyNmFatNOBiNANDybDCQ9lWuJnOP:uD+7Jc1oStNOBiNANDybDCwEgnOP
                                                                                                                                                                                                                                        MD5:7455FE2A83979F90705062160F98A96D
                                                                                                                                                                                                                                        SHA1:6AADE40A65871C938F168E6382B8AC7A34F46879
                                                                                                                                                                                                                                        SHA-256:04CF2CBB23DA8FEC93D9D021B4ED3168AFADB4BE9F47FB7E4D209A2C41DBACA5
                                                                                                                                                                                                                                        SHA-512:92AA6E78D1259144BE567AC970EE2BCA1ED27D8C343C81A21ACB7C791BA129FD491F4F066F86E22FC0B63064134663C486AFCF63AB1D352218E8FA8412859775
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........&.@.H.@.H.@.H.....E.H.I...Z.H.I.....H.I.....H.I...Y.H.@.I.i.H.I...`.H.I...A.H.I...A.H.I...A.H.Rich@.H.........PE..L...\..M...........!.................#....... .......................................n...............................}.......i...........K..............0....P...j..`&..................................@............ ......Xh..`....................text............................... ..`.rdata..(^... ...`..................@..@.data...Td.......>...p..............@....tls................................@....rsrc....K.......L..................@..@.reloc......P......................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\BitComet\tools\BitCometService.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2682920
                                                                                                                                                                                                                                        Entropy (8bit):6.8309434037236505
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:k8NtOFS+g/q2/1upBe3ytP4VKpHThGZ7aM0KB4JRwTckxs8sLZ:k8NV/qloC6VKPGhB4Jz
                                                                                                                                                                                                                                        MD5:AE7FBFF183FF30913EBEB38913E8CFAD
                                                                                                                                                                                                                                        SHA1:545CF38E47318185E168F04A733C2E0B13119C21
                                                                                                                                                                                                                                        SHA-256:F366F293905BE928918AD30A020FD369E139F64FADD4CEDFF9F9FA1E663E9065
                                                                                                                                                                                                                                        SHA-512:BAF9D4EF6C607A15DC203321E3412043B446776F4E364EFDB856F804E889853BEBEEA8EA98B319ECA468E2EE8E305050205CB19F280C33427E39967E4CA9FFBA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PrivateLoader, Description: Yara detected PrivateLoader, Source: C:\Program Files\BitComet\tools\BitCometService.exe, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        • Antivirus: Virustotal, Detection: 7%, Browse
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.........)..zG..zG..zG...B..zG..zG..zG.I.C..{G.X..zG.X.ZzG.X..zG...D..zG.I.B..zG...B.kzG...C..zG.....zG.....zG..zF..{G.I.N..zG.I....zG..z..zG.I.E..zG.Rich.zG.................PE..L.....a.................L..........G}.......`....@..........................P)......N)......................................Q'...... (...............(.($...0(......h&......................h&..... h&.@............`...............................text....K.......L.................. ..`.rdata..T....`.......P..............@..@.data........p'..P...X'.............@....rsrc........ (.......'.............@..@.reloc.......0(.......'.............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\BitComet\tools\BitCometToastsNotifier.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):171152
                                                                                                                                                                                                                                        Entropy (8bit):6.5555258546929265
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:T9DO2tGd7DJGi1xc+L+/TJPrFJpiF768UIlG1BQpUmi/USZWbbkcMdh1nkfwjZ:TZFGjL+rBLYtIIlwq6WbPEA4jZ
                                                                                                                                                                                                                                        MD5:E9177F102A19BF29869470ACBA3D41DE
                                                                                                                                                                                                                                        SHA1:98CF7CCECD46C4B30A5F72E3A1D4DA50B8878CDD
                                                                                                                                                                                                                                        SHA-256:4C106371EE676595B8D30A3CD2512D5E90C0BFAC4627379DDAA01CAFB00BC7DB
                                                                                                                                                                                                                                        SHA-512:CD559158EBAC27E3BD2FB7034A9B7F7020FC0FE176DC23B688E071EFD2A14D4CBE7CDF2CB3C14FB1A38DDBDF6DF94456FA0F4FFBED82DFB2B9B421FCF338A485
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        • Antivirus: Virustotal, Detection: 1%, Browse
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.`.c.`.c.`.w.c.i.`.w.e...`.w.d.q.`..d.r.`..c.w.`..e.Q.`.w.a.i.`.j...d.`.c.a...`..i.`.`....b.`.c...b.`..b.b.`.Richc.`.........PE..L...o.*e...............#..........................@.......................................@..................................G.......................t...(...........'..p...................@(.......&..@............................................text............................... ..`.rdata..............................@..@.data...@....`.......@..............@....rsrc................T..............@..@.reloc...............Z..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\BitComet\tools\BitCometToastsNotifier.png

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:PNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):63425
                                                                                                                                                                                                                                        Entropy (8bit):7.93347703649541
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:T/x+wwtYpSnWLFimU1/gtarTj0Lw30uq0REoje2YI:bJ8Y0mUitarTgc3b9YI
                                                                                                                                                                                                                                        MD5:25A04FA8C1D9FAAA604609E0636E01FD
                                                                                                                                                                                                                                        SHA1:A796A2A1F3BFE2ACD2A2970FF35F81520ABD0A22
                                                                                                                                                                                                                                        SHA-256:35BD169598A654BCDBBCA731E87A262773B046A215BF850F16526447FEDF18D4
                                                                                                                                                                                                                                        SHA-512:C43FAF706A4308C4E49A24DAF8A7C6DE347908D9600BBF343C2E058A0F2B63B0C2AEB9152000EF2CA96BD49AAB38E4D6B28FBFA223833A4DAE959B11698C56A2
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.PNG........IHDR..............x......pHYs...*...*.a.,.....iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c142 79.160924, 2017/07/13-01:06:39 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmp:CreatorTool="Adobe Photoshop CC (Windows)" xmp:CreateDate="2018-08-16T16:01:59+08:00" xmp:ModifyDate="2018-08-16T18:10:57+08:00" xmp:MetadataDate="2018-08-16T18:10:57+08:00" dc:format="image/png" photoshop:ColorMode="3" photoshop:ICCProfile="sRGB IEC61966-2.1" xmpMM:InstanceID="xmp.iid:4b6f81b9-1f10-4d43-a488-584c23398961" xmpMM:DocumentID="xmp.did:4b6f81b9-1f10-4d43-a488-584c23398961" xmpMM:OriginalDo

                                                                                                                                                                                                                                        C:\Program Files\BitComet\tools\ChromeExtension.crx

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:Google Chrome extension, version 3
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):44195
                                                                                                                                                                                                                                        Entropy (8bit):7.96317691624297
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:spP35zfOMiYI0Tx9H80VEXhaF+tM8sZuLot4fEO/Yu3j/Lk73nEJsIQbxSU/+pfP:4P3/DtjCM8+uLVdguzw7ksIQdSdpfZ1r
                                                                                                                                                                                                                                        MD5:B5E53CD0A433BA0F0ADB24961DB590F3
                                                                                                                                                                                                                                        SHA1:7F15AF928236C6681B2B3277EA147E1B8B80CEE5
                                                                                                                                                                                                                                        SHA-256:EADAE80FF23734EE06C38847222A915B199195D9CC178DFA9E0B4341BB2DBD8B
                                                                                                                                                                                                                                        SHA-512:9685A147A4D26CDF25FB7303317A0F022AE52FA18AC2C8DDD82F14AE62D85265DEAD490514A6A1EA832AEEC15E4FE81FBBC5F74670F9C4029F29109432B5F23A
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:Cr24..............0.."0...*.H.............0...........\7c.<........Fto.8.2'5..qk...%....2...C.F.9.#..e.xQ.......[...L|....3>/....u.:T.7...(.yM...?V.<?........1.a...O?d.....A.H..'.MpB..T.m..Vn Ip..>k.|1..n.<Fb..f..*Q1.....s..2..{*.6....Pp....obM..1.......b1.......(.u^.'z......v.F.W.X4."-*eu...b...........,L%.IR.s.......8.g:.%.K(u.T.R.....@JH^M.^..!O.8....#.,.`.......4.................q.'6.....6...X....}:....."....Q:B.......qJ..mf0.....M}.R..'?...AUs..~x..:..%..H...wp..Y...38$....O!.kW......]u.l.8."O|..n...>i.c..[.g.L-.R..._>.0....S8I. ..x......0.."0...*.H.............0...........c...W@.~.#>.p....../*p..A.... .^...g.O...U...-.^"V..%+BRI...2..:_`(."z...g.B.F.u-..y..xs.7O...{....o./.....X..fW.....UfB..j."yyb..X..[...W2..1...+Wf..A.\.U...:Mj.5d..A...*Q....%)U...`.... .W...?.^KH.....,.v.T.|m%.."[..Z.W.......(...t.l.........z.k?1............$.e.,.."..S..;;...........U.t...j...g-.`L`5.4.2..q.P..i(...Q.[...T..k.......".3C.Fw!TuU..f.......`Y...

                                                                                                                                                                                                                                        C:\Program Files\BitComet\tools\ChromeLauncher.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):139816
                                                                                                                                                                                                                                        Entropy (8bit):6.598124286051334
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:Jfa7N3rbZF/PgE18ERTagvE15fYNrEBmAzZ+vjXnkfB:ARrVF/oEqERTadm0l9+vDkp
                                                                                                                                                                                                                                        MD5:B230A1586DB0F1B1988D5DFEC70B255C
                                                                                                                                                                                                                                        SHA1:FA0157968002B98429B37EBE866DEA51E80C2A32
                                                                                                                                                                                                                                        SHA-256:CD1B47F4BD6C11FC72FE9F68A11E3071CFC95F18C9B672BCE65F233781A1661D
                                                                                                                                                                                                                                        SHA-512:1FDEDF965909F3B15B06C7F3A73C5BFFC2BC6AED667DC0E16340DC2C9EA8E777BCD66071FB44B629A0C55D82025AEF5CDBE2D9F4BE87965A38636126C9619534
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        • Antivirus: Virustotal, Detection: 1%, Browse
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......(.e.l...l...l....,..f....,.......,..t...>...}...>...y...>...X...e..m...e..g...l...........i.......m...l...m.......m...Richl...................PE..L......b.................T.........._........p....@..........................@............@.................................X...x.......................($... ......0...p...................@...........@............p..x............................text....S.......T.................. ..`.rdata..T}...p...~...X..............@..@.data...............................@....rsrc...............................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\BitComet\tools\ChromeLauncherManifest.json

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):304
                                                                                                                                                                                                                                        Entropy (8bit):4.853656194965306
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:boWpMhWe/zXCORVsJdTvFFaFlLulkNCfMHMHCiChdNC+jcOY:MthzXiT5UlLAjf+ima+jHY
                                                                                                                                                                                                                                        MD5:8350DC4AAC7FD59AF1154BA4C143B29D
                                                                                                                                                                                                                                        SHA1:0F3DE83A11292EE8BE0D905F97132CDADD3A5353
                                                                                                                                                                                                                                        SHA-256:AC1233A07ADE8B37EF7477F34B23F440FB727141AEDC6A0CC7B6CC745C453653
                                                                                                                                                                                                                                        SHA-512:0EA01A7B4CA44D0A294CC93729951588914DB44F050B1902BED0013DAFE54BA8A1D27E89EB3B216E9AA8936834AAC737EF09C8239C17C3CB6EECDAAC031511BF
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.{.. "name": "com.bitcomet.chrome_extension",.. "description": "BitComet Launcher for Chrome",.. "path": "ChromeLauncher.exe",.. "type": "stdio",.. "allowed_origins": [.. "chrome-extension://dhigneefebkcagnpnpbibganpmfgebnk/",.. "chrome-extension://nomdogicfjajjjlflnlfbhekelnhklka/".. ]..}

                                                                                                                                                                                                                                        C:\Program Files\BitComet\tools\EdgeExtension.crx

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:Google Chrome extension, version 3
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):43883
                                                                                                                                                                                                                                        Entropy (8bit):7.971775583969194
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:kwe9+gTVPOBYLEVU4mSF2qXCR4QZQTVejNtJ1oa3P8RrKxV/9XpCdydj/LlFrls5:kb+gTVPO9LmSQqyR4QuojNr13+ynhva5
                                                                                                                                                                                                                                        MD5:8888FD9341D582EE0A1CDC6383830696
                                                                                                                                                                                                                                        SHA1:A848F22AC8292AF1C9674E1634900F2C9DC374DF
                                                                                                                                                                                                                                        SHA-256:041494C0252A6222E62AE17D4E764090B9495DEECE64876C39748177CFC90BC3
                                                                                                                                                                                                                                        SHA-512:A3708E4B67546A01797FD7E05DC08DF4AE00BE7767C1FFBC22EA843E1EFE604B9AB5085594BB39D7ECB790019A106ECB3A98E635BCCAC09B73D82EE14718B8BF
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:Cr24..............0.."0...*.H.............0...........(.....|.....,.mt..i1=:..u@...p.8..p/4..6Z.i....q...s....Z.H.PswF...w..M9-j....w.1..+A....o^j.....)....<...+5..$j..W..G....5.c.............|.a;./.".N(..&.=.U. .`G.....n..L.?..6.......zFO..-.....{....k....Z.?l+[..|.C.F.S.~..NIz>. .".L...0....wi........bR...YcS.e._..z..8M.ol{{xg;arS......6...A|......%.g)Sb3.Q.......2.....Q@...j...#d.~-...F.................u.}..O.-73...x...eB.....U.@P..A....W.Ze....6..`,6.}.X....`...$.>...0`.Y3]Eg.K.....R.3..~-..Y...qh.2.....y...{^V..r..i<..4.dC'.......!.o........0.."0...*.H.............0.........^SUd%Q.L].......Cl2o...\[.....'*...;R=....N.C5....d. .....J.C>u.kr..Y..syJC.XS.q..E.n?....(G.5..)2.G..!.M.SS.{..U....!.EE..M[.#qs.A.1...g)nQ.c..G....Bd..7... .O.BI..KXQ..4.d.K.0......g.....-p....Z.E{...M&.~n.TE7..{0....5.#.C+3.y)pd9.e..........;......l.|L..=...q>.\.T.A..r9=[0 =Bz..s....:..}.N.8).......0)&_c,.R...}....pv....Q..a....GA...7...:........or=%....d=

                                                                                                                                                                                                                                        C:\Program Files\BitComet\tools\FirefoxExtension.xpi

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):50083
                                                                                                                                                                                                                                        Entropy (8bit):7.944464293367564
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:jnf8DfG7z9v+5rhof00ZCSUc6mWSMsLylP9s6l:LmfGZWAs0XRLLyV9v
                                                                                                                                                                                                                                        MD5:947351071B97C49CAB881C9ECB6106E4
                                                                                                                                                                                                                                        SHA1:C1885744E69DEBED0CB26FC0E79221F9E74E3D52
                                                                                                                                                                                                                                        SHA-256:1B26DFFAF433AA6095E481B23694E6B49CF4D7D464B771EE2783191E8E588B3E
                                                                                                                                                                                                                                        SHA-512:D3ED996F6C8C6B4B5D4080FA705FCD46E892535C4A205C109C58760B01420AC84D346CB001706CBEEDEC6185709A568EC998D89B52FB197C73FC2526930BD55D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK............................background.js.Z[o.:.~v.....Nd.+.o...E..g..I..t....-.m"..%.\...~..$..A..D.9..p...r&.H..Y..I7..x...._.rM..F.9fsP....`$?..4W(>Q...E....`|`Y1..DQ../.W.....ys..X.I.......{.Nx..::..)g......L..9'.@dV#..*Y.W..lU)P....Ta1...N.....m4.yJ.d.*..27.La!..)......o.NF9*...P..X...z\..;q...sL([.8.n...."x.!...]............q..]A...M....l&.'.Hm...P. 7..3X".=.Ud....>...\..[.&!.=..f.=c.)Q..b...IK......,.Y...u...g.g..N...K}....H^.?...ek.z...W...u'..s,B.[t..r.}.+Q.L......~.5.....B.....8.D.5%...$k..i63.@q ...Da..,k.Sd)...(..G3.].....NY.....)#/A.i.=<V.l....j.o..~.M/'/........U...@....O...#..#..=...ES7.Vkr.z...n..@..Lb....n}Q2E.Lr"..9w-zH..h.u..2.vQo%Q.._<......IaY9w.....\9_.|.*.U.;e..;.d.a.&..wMQ.........2'....-..<.}./1.......kSn..$.H..!#gQ.a.=wI$M....o".CD..F9.L*...9_.d..v..*.&Vo"1..;5k.......f.,..L....^.........O.M...%,..u.W6....v.*( .{....&....Oh.e|`..bf...P(..N.Ye:..:....'..x...=.......f........I..N.R.j...f...Y.iN.."9.PD.r[.5l...|

                                                                                                                                                                                                                                        C:\Program Files\BitComet\tools\FirefoxLauncherManifest.json

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):231
                                                                                                                                                                                                                                        Entropy (8bit):4.68954356042108
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:boWpDaJAWe/zbMQVHORVsJdTvFFaF1hiDaJxKdb:M8hzoQNfT5U1hB2
                                                                                                                                                                                                                                        MD5:A837F7D8FBEDB8800FD1336C14FD737E
                                                                                                                                                                                                                                        SHA1:C784A3FDF5174A0D70513D390105E0228D22EA1B
                                                                                                                                                                                                                                        SHA-256:94884EF7A3EC61B82AA65303A9F677EC9D5AEF1D0AA05E94A219077D8E2C9C87
                                                                                                                                                                                                                                        SHA-512:61A70D4C12AEEF5C0A2EF47CAAF1E868A993A5EF685D79880BCCC7B905EB2399AE4D803A9C7C526D5B2E2A3AC6BC25880D537C7424642A85CDC2BEBDD04935D6
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.{.. "name": "com.bitcomet.firefox_extension",.. "description": "BitComet Launcher for Firefox",.. "path": "ChromeLauncher.exe",.. "type": "stdio",.. "allowed_extensions": [ "com.bitcomet.firefox_extension@bitcomet.com" ]..}

                                                                                                                                                                                                                                        C:\Program Files\BitComet\tools\UPNP.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):820528
                                                                                                                                                                                                                                        Entropy (8bit):6.575283923382807
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:uD+m1APb2/LKKcEuLXYMeyYIqDkHZRF1G:OAC/+UMeyYsHZj1G
                                                                                                                                                                                                                                        MD5:FEBBAF0C03103A63E0141A96535B7745
                                                                                                                                                                                                                                        SHA1:84D8DECCDCF8AE2C703063477E4788A61BA061A1
                                                                                                                                                                                                                                        SHA-256:5139CA694CDBA3802811160DD15563F72B8CC1D6CE0D9CC3B415104516EAC305
                                                                                                                                                                                                                                        SHA-512:B51B22C0E5E5B7805D3641F17FAC2C28DB1B5615799B6C6DDAFE3B202A59A17E25EF0441F77A6B967366C52C217BF48C2148104D2B8CC81CD363E3021C8B67E6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        • Antivirus: Virustotal, Detection: 11%, Browse
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$....... .d...d...d...p...a.......u..............z.......p....#!.`...6...}.......m...6...,...6...@...m.e.a...m.u.....d...t.......V.......e...d.q.e.......e...Richd...........PE..L....s.`.................b... ....... ............@..................................f....@.............................................pM...........p..0....@...p.. ...T...........................x...@............................................text....`.......b.................. ..`.rdata..~ ......."...f..............@..@.data...\=.......(..................@....rsrc...pM.......N..................@..@.reloc...p...@...r..................@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\BitComet\tools\Updater.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):726056
                                                                                                                                                                                                                                        Entropy (8bit):6.492964327207684
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:SIJ9lGROd3q/52rs7zlaiWEkgjiXMzbQszKpBOI9QcjmXZ8dHe6o0t:SIJ9IY3qBss7xaiWEkj9QcjmXE+6o0t
                                                                                                                                                                                                                                        MD5:391A3355B69755571AA824951ECE36C4
                                                                                                                                                                                                                                        SHA1:5AA3750CCC2D48FDBF19A576D3A0BD1FFC45BBEC
                                                                                                                                                                                                                                        SHA-256:4A86EF1AA69BD3E28F266D68604AFC5C5F140E17C4440A8E18EDF59E9AB13EFD
                                                                                                                                                                                                                                        SHA-512:96E5775F96D662D602783DCC40DC4B52D429889FF7630BC05B54A7A05D7174154910C903CAD941DAC44A51B805819AB3CA033E13FE2BB36348F28D8942BFEB9A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 9%
                                                                                                                                                                                                                                        • Antivirus: Virustotal, Detection: 9%, Browse
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......................i`f.....i`d.N...i`e...................x..........................................x.......x.h.............x.......Rich............................PE..L.....a.................&...................@....@..........................0......w........................................M..........Hh..............($...........y..8....................y......8y..@............@..h............................text....$.......&.................. ..`.rdata... ...@..."...*..............@..@.data....N...p...:...L..............@....rsrc...Hh.......j..................@..@........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\BitComet\tools\VideoSnapshot.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2975272
                                                                                                                                                                                                                                        Entropy (8bit):6.807096842635996
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:FixX45hdiI3NTpepQyhcQEsFz/AyobctPfqgI/FTDGZOkyk+5is8FDcbo:FixXe3NTpepQyhMEcyicxqg+GkkykF
                                                                                                                                                                                                                                        MD5:1FA717DDEB7C00E4E92B02198F8D5634
                                                                                                                                                                                                                                        SHA1:DF5815BD907737A6A40BDA3EAAC8AE2D10B5EAC8
                                                                                                                                                                                                                                        SHA-256:C904F160AC09BFA5AB01475CF2565FBB7D5CFBD6C78DF87FE889C2039139B5A2
                                                                                                                                                                                                                                        SHA-512:4005C1B16DDFB2BD9697970867CC5C305E1F6E6A48EDA73F1362E5CEF832B4CE59E9E3DA0D9CA62E2E7E70487A2563BFC8FFBCD450E73EA78339D5983EDBAA13
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PrivateLoader, Description: Yara detected PrivateLoader, Source: C:\Program Files\BitComet\tools\VideoSnapshot.exe, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...................................X...........!..L.!This program cannot be run in DOS mode....$........0P.HQ>.HQ>.HQ>....UQ>.....Q>....lQ>.\7;.MQ>.HQ>.]Q>..8:..P>..8:.\Q>.....LQ>..9=.UQ>..8;.|Q>..9;..Q>..9:.oQ>..8;.JQ>..8=.KQ>.A)..MQ>.A)..SQ>.HQ?..P>..87..Q>..8..IQ>.HQ..IQ>..8<.IQ>.RichHQ>.........................PE..L......c.....................2....................@...................................-.......................................*.......,. ............B-.($....,.</...'*.T....................(*.....h'*.@............................................text............................... ..`_TEXT64.h........................... ..`.rdata...U.......V..................@..@.data...x.... +..H....*.............@..._RDATA........,......F+.............@..@.rsrc... .....,......L+.............@..@.reloc..</....,..0....,.............@..B................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\BitComet\uninst.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1294655
                                                                                                                                                                                                                                        Entropy (8bit):7.968130777762132
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:2nMDJD4xQrXnRisiU1KVEElEPV+YQk8zpwjtHWPvcnqlzJ2M4uJqvZzNh:QIEI4rHlEN+hkewpH+cczNY3h
                                                                                                                                                                                                                                        MD5:6696C444B303C371DFD011D4D4CF6377
                                                                                                                                                                                                                                        SHA1:BE888BB3AAB1B7457636790BEB98B1029BBB7192
                                                                                                                                                                                                                                        SHA-256:62CB604A8236683A51312FCFD2CD04AFFF1519718A8B0890859749B584A8A055
                                                                                                                                                                                                                                        SHA-512:6D74F2522C4DC7279498D829D63862E9FD6CFA6FDE6A5041D08A81C88D3C4216DBF8639F447BD869A9D916DACA01F9DC5BFE462F0E4257B73E2B10DC3C96993E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L...5.oZ.................f...........4............@..........................0.......J....@.............................................,................'...........................................................................................text....d.......f.................. ..`.rdata...............j..............@..@.data...X............~..............@....ndata...................................rsrc...,...........................@..@................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\LICENSE

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:ASCII text
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1096
                                                                                                                                                                                                                                        Entropy (8bit):5.13006727705212
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:36DiJHxRHuyPP3GtIHw1Gg9QH+sUW8Ok4F+d1o36qjFD:36DiJzfPvGt7ICQH+sfIte36AFD
                                                                                                                                                                                                                                        MD5:4D42118D35941E0F664DDDBD83F633C5
                                                                                                                                                                                                                                        SHA1:2B21EC5F20FE961D15F2B58EFB1368E66D202E5C
                                                                                                                                                                                                                                        SHA-256:5154E165BD6C2CC0CFBCD8916498C7ABAB0497923BAFCD5CB07673FE8480087D
                                                                                                                                                                                                                                        SHA-512:3FFBBA2E4CD689F362378F6B0F6060571F57E228D3755BDD308283BE6CBBEF8C2E84BEB5FCF73E0C3C81CD944D01EE3FCF141733C4D8B3B0162E543E0B9F3E63
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:Copyright (c) Electron contributors.Copyright (c) 2013-2020 GitHub Inc...Permission is hereby granted, free of charge, to any person obtaining.a copy of this software and associated documentation files (the."Software"), to deal in the Software without restriction, including.without limitation the rights to use, copy, modify, merge, publish,.distribute, sublicense, and/or sell copies of the Software, and to.permit persons to whom the Software is furnished to do so, subject to.the following conditions:..The above copyright notice and this permission notice shall be.included in all copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,.EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF.MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND.NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE.LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION.OF CONTRACT, TORT OR OTHERWISE, ARISIN

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\LICENSES.chromium.html

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:HTML document, ASCII text, with CRLF, LF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):8851986
                                                                                                                                                                                                                                        Entropy (8bit):4.750815293212135
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:fUrV6CV675knWSgRiPyQlrUmf1C6C6y6Z6/678HaBMypuO:sfhaw
                                                                                                                                                                                                                                        MD5:8E263CC42A54CE9A3562008EADE01062
                                                                                                                                                                                                                                        SHA1:5053B8D240852729C73282C9D2C2BEB3D749D2E7
                                                                                                                                                                                                                                        SHA-256:6F95E9FF1F5C55233BCB1520C1296A0C7AFF9CB4D864086DA191ACB77E7A068F
                                                                                                                                                                                                                                        SHA-512:D25652D9F8CA416219DCFD742AE330319386D499C1C70BC1830A68F6F4EB5CB01072C7986157E26C4298D4587AF06D33D0B8C8FF0CEC6069577C418618FB0E4F
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview: Generated by licenses.py; do not edit. --><!doctype html>.<html>.<head>.<meta charset="utf-8">.<meta name="viewport" content="width=device-width">.<meta name="color-scheme" content="light dark">.<title>Credits</title>.<link rel="stylesheet" href="chrome://resources/css/text_defaults.css">.<link rel="stylesheet" href="chrome://credits/credits.css">.</head>.<body>.<span class="page-title">Credits</span>.<a id="print-link" href="#" hidden>Print</a>.<div style="clear:both; overflow:auto;"> Chromium <3s the following projects -->.<div class="product">.<span class="title">2-dim General Purpose FFT (Fast Fourier/Cosine/Sine Transform) Package</span>.<span class="homepage"><a href="http://www.kurims.kyoto-u.ac.jp/~ooura/fft.html">homepage</a></span>.<input type="checkbox" hidden id="0">.<label class="show" for="0" tabindex="0"></label>.<div class="licence">.<pre>Copyright(C) 1997,2001 Takuya OOURA (email: ooura@kurims.kyoto-u.ac.jp)..You may use, copy, modify this code for any purpose

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\chrome_100_percent.pak

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):136004
                                                                                                                                                                                                                                        Entropy (8bit):7.915638220816395
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:TzwJCGIekwc9W2bg3yhPaL2o418Gb0+VRLf0ld0GY3cQ3ERVm2I:Tzw1IekZ42k3yMK18Gb0OV8ld0GecQ35
                                                                                                                                                                                                                                        MD5:E4CBB48C438622A4298C7BDD75CC04F6
                                                                                                                                                                                                                                        SHA1:6F756D31EF95FD745BA0E9C22AADB506F3A78471
                                                                                                                                                                                                                                        SHA-256:24D92BBEB63D06B01010FE230C1E3A31E667A159BE7E570A8EFE68F83ED9AD40
                                                                                                                                                                                                                                        SHA-512:8D3EA1B5CA74C20A336EAA29630FD76ECD32F5A56BB66E8CEF2BCE0FA19024EA917562FD31365081F7027DDE9C8464742B833D08C8F41FDDDC5BD1A74B9BC766
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:....................;.........x.........e...................V.....P.............i!...#...).....8...;....@...VC....E....G...>J....L...^N....R.....U.....Y.....Z.....[.....].....^....c_....}e.....k....5m.....n....2o..h. p..i.Aq..j..s..k..u..l..x..m..|..n.&...o.....p.......`.................L.....?..........................................................H.....X...........=...........w......#.....*....s,.....1.....4....k>.....A.....I.....M....gW....a....e...mg...8p....x....y....{....|...........................h........l........~........G....u.........h........h....=..........................................c.....7.....................;...............................................f.....B.......................T...........?.....5... .*...#.".........H......................................(.....{.........................................................../...........J.................q...........R...........2.............

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\chrome_200_percent.pak

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):195949
                                                                                                                                                                                                                                        Entropy (8bit):7.941377697125107
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:ZDQYaE/N6Mrvy/3JPD9W2bg3yhPaafR54x5GMR+F44ffbdZnYw9p4AbIVGYoDd+y:ZDQYaSN6svydD42k3yxgx5GMRejnbdZR
                                                                                                                                                                                                                                        MD5:99B95D59D6817B46E9572E3354C97317
                                                                                                                                                                                                                                        SHA1:6809DB4CA8E10EDD316261A3490D5FC657372C12
                                                                                                                                                                                                                                        SHA-256:55D873A9F3AC69BBF6EB6940443DF8331EBD7AA57138681D615F3B89902447E7
                                                                                                                                                                                                                                        SHA-512:3071CFEB74D5058C4B7C01BFE3C6717D9BB426F3354C4D8A35BD3E16E15CDE2F2C48238CB6382B0703B1CC257D87FCECFB84FBF4F597F58E64463CEEDE4366DD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:....................B...................................$....).....,...T4...8....@...D...AY....n... s....}.......k.........]........D....h.....q.....+..................................).................Q.........h.M...i.8...j.b...k.V...l.[...m.....n.....o.....p.?...........;.............................9.....OH.....R...._U.....Y....?c....He.....h.....m.....x.....z..............3.................S...............o................................&..............&..............&....;....S....n....;..............9....7....$....E....6"...^%...[,...y/...6....>...A...h...i...n....ns.....t.....v.....w.....x.....z.....{.....}.....~....W...........r.....`.....A.....".....:.....@.................%...........>.....b...........w.....K......... .....#.m....g........"........./.....e.....>.................R...................................(...........M...........~.............................y.................U...........S.......

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\d3dcompiler_47.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):4922000
                                                                                                                                                                                                                                        Entropy (8bit):6.4005523440244385
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:6CZnRO4XyM53Rkq4ypQqdoRpmruVNYvkaRwvhiD0N+YEzI4og/RfzHLeHTRhFRNh:BG2QCwmHPnog/pzHAo/A6
                                                                                                                                                                                                                                        MD5:FF94158AAE261FEDA9A4E890687EC159
                                                                                                                                                                                                                                        SHA1:73E18C24C24BBBE4B9A6610449E107340DD5A1AA
                                                                                                                                                                                                                                        SHA-256:59BC90CFCB01297C5CF55F3B9B64355ABE9B1E8E1BCC91ED6F6F63613E632F48
                                                                                                                                                                                                                                        SHA-512:3F195D7F3A5D2183F6E566B4CDFF6D02BF79F31C4D6582EA80FBBEA84E0FE903329D8804E77F54FB9ED42429C7395C2DA4B71DADC6F64C31A94273915DB95ADA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........|3..]...]...]..e\...]...\.5.]..e...]..wX...]..wY...]..e^...]..eX.y.]..eY...]..e]...]..eU./.]..e....]..e_...].Rich..].................PE..d...^.}`.........." ......8..........<).......................................K.....<.L...`A........................................`%G.x....(G.P.....J.@.....H.......J..:....J.....p.D.p....................S<.(...pR<.@............S<.(............................text.....8.......8................. ..`.rdata...F....8..P....8.............@..@.data...`....@G......@G.............@....pdata........H......@H.............@..@.rsrc...@.....J......@J.............@..@.reloc........J......PJ.............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\ffmpeg.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2896528
                                                                                                                                                                                                                                        Entropy (8bit):6.71818880996116
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:n0h7iln3U9ZzcZ90CvaQL3nm2+hTf6yfPvJr8PNSt2wLlDZMkSf2F:Hnke90dCnmMyMkSe
                                                                                                                                                                                                                                        MD5:3D5EC97BDBBA444EE7D32A654000639B
                                                                                                                                                                                                                                        SHA1:674978EC1A6A0651A8530C5C38773F6425CAFD7A
                                                                                                                                                                                                                                        SHA-256:303E741ACC90EC72962D9C658BCDA184340338E5C1198900DF3D7A96BB3A8BF1
                                                                                                                                                                                                                                        SHA-512:CF86144EDD8D03D0BB94740D1FFC6EA173DED4C10AD45C4A20F13DEE1062150FADBA6866C8C00E0B188BA465152718FF9DC36A61EB72F18C4AF6B375605EFF9D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d.....ce.........." ......#......... ........................................@B......5,...`A..........................................*.......*.(.............@......+..:....B..3....).......................).(....2#.@...........H.*.P............................text.....#.......#................. ..`.rdata..L.... #.......#.............@..@.data.........*.."....*.............@....pdata.......@.......*.............@..@.00cfg..8.....A.......+.............@..@.gxfg....,....A.......+.............@..@.retplne......A.......+..................tls..........A.......+.............@..._RDATA..\.....A.......+.............@..@.reloc...3....B..4....+.............@..B........................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\icudtl.dat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):10631872
                                                                                                                                                                                                                                        Entropy (8bit):6.276946936240822
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:196608:1IPBhORjFQwCliXUxbblHa93Whli6Z86WOH:1kwVAliXUxbblHa93Whli6Z8I
                                                                                                                                                                                                                                        MD5:62880B7D351A9F547B62B8DA6C97CE25
                                                                                                                                                                                                                                        SHA1:057F11003013CFB3F1C63E6BDD4F2F9949FF0104
                                                                                                                                                                                                                                        SHA-256:7C40C811D30D459DBF04A04C141B60EB4247CD58A008FB836605317DF665748F
                                                                                                                                                                                                                                        SHA-512:0D6F83175A91D90F4CC3EC4D9071B7ACD0CD8EBBCC592322E46FDE2ADB7198E035AF62C45A11A622F2A908E26D4DD8B8D1AF023E634A74D0824D02C791BA3C1A
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...'........CmnD........ Copyright (C) 2016 and later: Unicode, Inc. and others. License & terms of use: http://www.unicode.org/copyright.html .....tE.......E.......E.......E.......E...6...E...6...E...g...E..@h...F...h...F.....$F.. ...7F..@...JF......]F......pF.......F.......F..p....F......F.......F......F.. ....F......G..0....G.......G..P...AG..@...TG.....gG..P...zG.......G.......G.......G..0....G.......G.......G..@....G.......H..P...%H......5H......HH..P...YH......mH......}H..@....H.......H.......H..P....H.......H.......H..@....I.......I......0I..@...AI......UI......lI.. 0..|I..p0...I...0...I...d...I.. e...I..`h...I...h...I...i...J...J.."J......>J...!'.UJ...-'.lJ..@.'..J..05'..J...5'..J...>'..J...>'..J..PC'..J...F'..K..@G'./K..`.(.FK....(.cK....).|K..P.)..K..0H*..K....*..K....+..L...o+..L...x+.5L...y+.NL..0|+.eL...}+.~L..@.+..L....,..L....,..L..p....L...\...M.. ....M..0...:M..@...JM......]M......rM.......M.......M.. ....M..p....M..../..M..../..M..@./..N..../..N..../.$N..@./.8N..

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\libEGL.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):495760
                                                                                                                                                                                                                                        Entropy (8bit):6.409208933540656
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:pg9l96cDNg9883RGYrMkNOCzLEUU2s2LXxvZ:pqlYcq68hvrMi4ULP
                                                                                                                                                                                                                                        MD5:17B27CA1649A7AC14A26574D6C9E2028
                                                                                                                                                                                                                                        SHA1:3583DB54838E50DE777D4246EFE49F5A8743770F
                                                                                                                                                                                                                                        SHA-256:6F763E395FC4650A2A17BAE1CF3A268B1A6B4EB081D19D7868522476E2F91C12
                                                                                                                                                                                                                                        SHA-512:3620616AA90077ECF89E787ED2D2644D8AF3C0A79FABFD8E89C68941DF3CCBFBD83687B3956F3882EE27E409EBCBE5093A102B49ACFA3C1D10C92027A9EEEC7E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d.....ce.........." ..... ...0......P.....................................................`A.........................................".......0..(.......x........B...V...:......................................(...@1..@............4...............................text............ .................. ..`.rdata.......0.......$..............@..@.data....K....... ..................@....pdata...B.......D..................@..@.00cfg..8....`......................@..@.gxfg...`$...p...&..................@..@.retplne.............<...................tls....!............>..............@..._RDATA..\............@..............@..@.rsrc...x............B..............@..@.reloc...............H..............@..B................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\libGLESv2.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):7508112
                                                                                                                                                                                                                                        Entropy (8bit):6.488303026501504
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:98304:pAgpTkR1Ff1SCUDuVyALwkQyx9StmZe5wXVrjD:q9GPc+kgcXrj
                                                                                                                                                                                                                                        MD5:6CA5C317701092DDAF7500A55F6B9B42
                                                                                                                                                                                                                                        SHA1:74532206A38649A56F5AAA4756D3983797BFFA13
                                                                                                                                                                                                                                        SHA-256:549E1ADD7364EF61573830371528DE024AAA8F2C38DCCAB676C0CB8706788FF5
                                                                                                                                                                                                                                        SHA-512:6900136D42EF7963D632BBB4BC2C11346011CEF57AB63D6ED87F0BCF8398584B6A0F693FB3FAC0A6A89D5D50E74D128397A7D45B3ED1DB87376EF239B90D70E9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d.....ce.........." .....bW...........J......................................`s.....3.r...`A........................................=.i......j.d....pr.......o..T...Vr..:....r.d...|\i.....................P[i.(.....W.@............j.....`.i.@....................text....aW......bW................. ..`.rdata........W......fW.............@..@.data...4.....k......lk.............@....pdata...T....o..V....n.............@..@.00cfg..8.....r......Jq.............@..@.gxfg....+....r..,...Lq.............@..@.retplne.....@r......xq..................tls....B....Pr......zq.............@..._RDATA..\....`r......|q.............@..@.rsrc........pr......~q.............@..@.reloc..d.....r.......q.............@..B................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\af.pak

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):435973
                                                                                                                                                                                                                                        Entropy (8bit):5.420771352473224
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:yL0N/vpzXda2KCh2bM70i2Jyngy86BVCgIxHSt2lyV9V5t/te6AziApNi2:yL0FxzXda2LIbM70i2Jyngy86BVCgIxZ
                                                                                                                                                                                                                                        MD5:D16EF573959CF5CF0A6EEA20136B9C0B
                                                                                                                                                                                                                                        SHA1:E3384AE3EE92E1DAE47A48E45589372E940AAB33
                                                                                                                                                                                                                                        SHA-256:73A8401E6DC17C4DAF86B42C65B81359348F7E6B4D62D8637138E747BB3FF0AE
                                                                                                                                                                                                                                        SHA-512:064C2912F766F10EC042ADF82709AC9582CB8430E3550690FC17343C380DCBABADC0084E08AA5F3EB6FAF79A652D26E1FE2606625A180B7F47808DF07A566933
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........."..e.J...h.R...i.Z...j.f...k.u...l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.............".....*.....2.....:.....A.....H.....O.....P.....Q.....V.....c.....r.........................................M......................._.........................................1.............................b.......................V.......................e.......................q.......................m.......................x.................*.................[.....r.................$.....5.............................B.............................].......................Q.......................-.....U.....^.......................&.....x.......................r........... .....7.............................r.......................P.......................H.......................k.......................>.......................>.......................d...........0.....D.................\.....~...........B.....v.......................=.....K.................$.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\am.pak

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710422
                                                                                                                                                                                                                                        Entropy (8bit):4.889515373188112
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:xzCqEYtxbGUTZwuMhqNx9TvLB/m/+9zT85J933Vw0upOAPxx30jH8+V:5CqpxSUTZsqNxlLBu/+9zT85J933Vw/o
                                                                                                                                                                                                                                        MD5:39A396FCE4D93F744B3C786D62D2686C
                                                                                                                                                                                                                                        SHA1:7EC8176E652B666B6AB9FFFB6CB9B7DCFDD1A2A2
                                                                                                                                                                                                                                        SHA-256:0B1D326BE9DABCDA8E37740017383F2D8F1BEC7A8FDB1F11EBE538C3632453FD
                                                                                                                                                                                                                                        SHA-512:798063B51F745FC2C9E7F852F72CE55939ED41305D070D1844C790755F7AB42A6830406BA2485237D37A0C46B804512E7DC37C65B7F03249C28741A4F706017A
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........."k.e.x...h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.4...}.F.....N.....S.....[.....c.....k.....r.....y.................................................................L.....l.....-...........\..........._.....!.......................;.................L.................'........... .....j.....................................................I...........b.............................n...........9...........*.....I.....$...........k.................o.................2.......................^.............................n.......................'.................*.............................7.................$.............................`.............................-.....T...........L.................A.............................M.................|.................:...........^.................~...........`...........S.............................1.......................J.................8.............................(.......

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\ar.pak

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):776660
                                                                                                                                                                                                                                        Entropy (8bit):4.901282904991353
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:OzoB4gW/B/RbVGQKvvYUNDjwkhb5YNip+olYMgSENX//:Ipg55X+L
                                                                                                                                                                                                                                        MD5:14B15761CB9D4E1956812DF8B42C2AEA
                                                                                                                                                                                                                                        SHA1:7C25580D892711B9EFF1A3ACE4E6699EA64E0706
                                                                                                                                                                                                                                        SHA-256:C8D405127B032587E6AE6426A35CB766139BAE26170CA08D811354486AB667F8
                                                                                                                                                                                                                                        SHA-512:EC9A6E6E715C817726AD744FADCA4D1AF3015D95421774CCFE54D616225B7A17E862E086FE0AEBB3A903D2EBFB27779CFFCD713D3042ECDF9761C24C5A56CDCF
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.........!..e.....h.....i.....j.....k.....l.9...n.A...o.F...p.S...q.Y...r.e...s.v...t.....v.....w.....y.....z.....|.....}...................................................................(.....E.....|.......................5.....Y...................................g.......................\.................q...........K.....b...........U.................>...........".....g....."...........4.....Z.....9.......................M...........A.....o.................K.....f.....m.....Z...........9...........G.....q...........8...................................A.....a.................;.....Y...........X.................N...........8.....\...........a.................=.............................U.................W................./...........*....._...................................A.................F...................................N.....t...........k.............................n...........M...........+.....b...........p.................-.............................1.................E

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\bg.pak

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):807254
                                                                                                                                                                                                                                        Entropy (8bit):4.657332043590551
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:05iZCv/q5ftlYMdAs1axUB4x3aCKGtVDqSmvunp8dIO+5ZJquLRlbQDwN/6ZIQ6Y:0mCv/q5ftlYtUB23a0tVDqSmndIO+5Zk
                                                                                                                                                                                                                                        MD5:01DFB1A7815613FA0A5411235F45B27B
                                                                                                                                                                                                                                        SHA1:3BF1EA5597AC77B26BD30CAA1EFEA7CB4F7A1B19
                                                                                                                                                                                                                                        SHA-256:13D08D2C4972CD18BB8EA8A57587DAD29684C2336F73282DD3284B0649377CF8
                                                                                                                                                                                                                                        SHA-512:5D8A65E5A17AA163FB679E003E1837EA96E515B105C9977029A5CA4854845289DE5D65C0EDFD473CB74410C5CACDB5B360F25A69776705FB05F48688D92680DA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........."z.e.Z...h.b...i.j...j.v...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.%.....-.....2.....:.....B.....J.....Q.....X....._.....`.....a.....f.........................................c...........k...................................n................._...........&...........Q.................V.................T.....@...........`.................r...........>.....(...........t...........r.............................].................,...................................T.....{.....".................-...........R.................y...........i...........8.................+...........>.................7.............................L.............................M...........).................'.........../.....q.................G...................................n...................................z........................ .....!....@!....0".....#.....#.....#.....$.....%.....&....Q&.....'.....'.....(....G(.....(....r).....).....).....*.....+....8,

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\bn.pak

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1043696
                                                                                                                                                                                                                                        Entropy (8bit):4.274774940218697
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:qiTj8zSyVwde8yRWFyW2Ge/a/0hfI0PLvCIOvkMBbStDn5JiXlZ0:bTj8mySc8VcE8vBO7Bby5Il2
                                                                                                                                                                                                                                        MD5:FF4F966849B4107535E41D037D9144C7
                                                                                                                                                                                                                                        SHA1:3A973857B061914E8905BDA7E8F2BDAFA384588E
                                                                                                                                                                                                                                        SHA-256:2DC26DEE345271F4606650912B0B7B5DF68F621F2920864E0E36C1D1B22459B1
                                                                                                                                                                                                                                        SHA-512:98772F266F9553F77F91B11DC4589EC8A0930554E9E0B381BBACD8D23CE794C04F6FE821388A6E87CB14CB59C7522C18C06B1AF11FC177C7E40EF71242ADCBA7
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........."..e.N...h.V...i.g...j.s...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.#.....+.....0.....8.....@.....E.....M.....T.....[.....b.....c.....d.....i.............................E.....O...........G.....<...........................................................J...........F...........s...........`...........e.............................y....._.....6............................._...........[...........m.............................Q.....u.....m...........g.....0.................A...........y.................x...........=.....`.....@...........Y...........U...........Q.....}.....5...........).....O...................................X................................... .................f...........C.................>.................9.....e.....M ....&!.....!....5".....".....#.....#.....$.....$.....%.....%....'&....*'.....'.....(.....(.....)....?+....2,....e,.....-..........C/...../.....0....G1.....1.....1.....2.....3.....3....(4.....5.....6

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\ca.pak

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):491145
                                                                                                                                                                                                                                        Entropy (8bit):5.414447286175489
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:k8E42a7G6ELn1R355PAF4N3Mw2juwHzejm0XNlGq8EmsTRvIs3cmlLEY0CJ7MyUw:iiQpDR+Vac/MNI5/EB5HTBaY
                                                                                                                                                                                                                                        MD5:A0B45B122241CF0C11A081EEFB9CB4C6
                                                                                                                                                                                                                                        SHA1:91FD660A4688AAA70FEE42E783B8B1863B4D11D7
                                                                                                                                                                                                                                        SHA-256:7D911CDA51564500DD7A6DE43A1E347869427C035B15FA25CAD0526BE9E055B1
                                                                                                                                                                                                                                        SHA-512:ABCB3BCB96934189CDFD52528CD7C65EA870C9B997BF6349599B7064FE6F4BEF0D34809F0F958E4D4E46486E7C0A41F86B5ED0A132BBF20743D41F3AF64788B4
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........."..e.N...h.V...i.^...j.j...k.y...l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.......!.....&...........6.....>.....E.....L.....S.....T.....U.....W.....q.......................m...........i.................].................R...........6.....U.................P.....m.................O.....b.................F.....W...........A.................6.......................~...........&.....:.................+.....?.................b.....}.......................#....................... .....p.......................N.......................N.......................].......................J.......................#.....n.......................^.................&.......................[.......................V.......................m.................<.................".....|......................._.......................i.............................?.................L.................".................$.....D.........................................0.....L.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\cs.pak

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):505998
                                                                                                                                                                                                                                        Entropy (8bit):5.852692589945994
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:MI6vfxlz7skzhZZD7ZUVNzrAMnz15/8VEgkNOQw3SBbY8Qm:9mbz7sobnZUVtRz15/8VEzNOl3SX
                                                                                                                                                                                                                                        MD5:1101C784521A550B0561B363722086DE
                                                                                                                                                                                                                                        SHA1:838F2BFE3432B87B950A2EC5D9862D2F58FDE3E5
                                                                                                                                                                                                                                        SHA-256:CC6FF937D1C9FEC4634DB4E2F6C0718D2606FE2D5D25ADDF1314E110C5B78772
                                                                                                                                                                                                                                        SHA-512:ECA3CE2075D3C920116C9E34957631E0617A869467BB76B09873AE96F7803F20032A6DD0A0F785F9E59DCFCE3A4CCECDAB2D445A860BEE20D42E140B45E74089
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.........!..e.*...h.2...i.:...j.F...k.U...l.`...n.h...o.m...p.z...q.....r.....s.....t.....v.....w.....y.....z.....|.....}.....................................!.....(...../.....0.....1.....3.....C.....U.....g.....|.......................).................".....1...........4.........................................?.......................;.......................>...................................U.....w...........^.........................................;...................................I.....c.................2.....I.......................,.....{.......................j.......................~.................(.....y.......................n...................................(.....<...........1.....u.................$.....?.....S.......................4.................'.....=.................^.................;.....V.....j...........M.....}.................l.................8...................................b.................f.......................[.......................n.......

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\da.pak

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):457300
                                                                                                                                                                                                                                        Entropy (8bit):5.462360584216823
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:CVNYzbxqzVBYO5c0orUrnwlH2oJwREbtEbvvXe5aNrRppd4gTGqfwQ:CV4bVLr2nQJ5SrJTpB
                                                                                                                                                                                                                                        MD5:5B033C206820ACE5EB4C6F82AED34A5D
                                                                                                                                                                                                                                        SHA1:28017CFC13259273022059F02564FFC99DCD75A4
                                                                                                                                                                                                                                        SHA-256:1A51DE04CB205C708520F1B013447F1A89F0B1330DBCE6D1E71CF355319D1108
                                                                                                                                                                                                                                        SHA-512:E423069F7A895179EA17BE5774284E9E2E27F02C40BAC7D7211CAB77348800622796F04C3E6618905364E189CA5EC772ED7DBD285872777D163D3EBEC08A64D4
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........."v.e.b...h.j...i.{...j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.$...}.6.....>.....C.....K.....S.....[.....b.....i.....p.....q.....r.....t.............................0.......................e.................,...........>.......................q.......................d.......................L.....v.................M.....|...................................K.......................r.................+...........4.................1................./.............................l.......................E.......................0.......................6......................./.............................n.......................W.........................................H.......................,.............................].....z.................r.................B.......................B.......................Z.......................V.............................-.....c.................^.......................8.....T.....a...........#.....Z.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\de.pak

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):488577
                                                                                                                                                                                                                                        Entropy (8bit):5.513232917056381
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:hHb3YfHLHsf63K7UpTzighla/nxDUBEmw3Am0o268dz5qRwT1MROI+ChF:yzY63K7UpCgvaPhf0p5q9+ChF
                                                                                                                                                                                                                                        MD5:7CCDC41A3DBDF89058D71629225664AE
                                                                                                                                                                                                                                        SHA1:E15C35B18685D9573349FF4247733B5F5ADA8717
                                                                                                                                                                                                                                        SHA-256:163EA4C2CF67EDD0526A8E18D3810872E92A1D4E17B5CF4F04107FDA5967B0C9
                                                                                                                                                                                                                                        SHA-512:13B20B0DB02A0A7480C56C79304EF594353507E1A30DA0130B73AA8E9EC7636F306315A6F40729B10DC725F936642D2E2B282ED3040A079A6F25A7F9F7F1AE28
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.........!..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.%...v.:...w.G...y.M...z.\...|.b...}.t.....|...............................................................................................z.................g...........'.....<...........4.........................................Q.......................|...........&.....:...........@.....w...........)...................................H.....Y...........[.................B...........(.....B.............................f.......................w.................#.................".....3...........@.........................................?.......................h.................!.................K.....].............................c.......................].......................[...................................N.................O.....m.................i.................4.......................v...........N.....X...........u.................Q.......................m...................................L.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\el.pak

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):885915
                                                                                                                                                                                                                                        Entropy (8bit):4.739553297972224
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:W1YcXPeGgx1vhxi6o/mqHMeD2fpaEAj0vSKjaEA3H8EuiEc7t2DQ739Qtf2ktKMq:AYcXPeGgx1vhxi6o/mqHnD2fpaEAj0vC
                                                                                                                                                                                                                                        MD5:2B391B2B35F7E096F696FAF5DC093366
                                                                                                                                                                                                                                        SHA1:1409134A46FCB84457A0E332EDDE98F7666246BD
                                                                                                                                                                                                                                        SHA-256:F1FE39AF50F4BFE9EDCEA3AF6C132E87D464D7277FB491ED95D7189B3157D20D
                                                                                                                                                                                                                                        SHA-512:AA640CA41DC9D4F60392B61BBEAD215345ABD32369B0DE90ED1D7CA2FF7A838D04689D538789A1ADC0324FE4539C34DB26B6C245155E51FB0308AF13B60BFDAE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........."w.e.`...h.h...i.p...j.z...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.).....1.....6.....>.....F.....N.....U.....\.....c.....d.....e.....g.......................&.....M.....+.............................n.......................,.....^...................................#.....y...........?.................>.................,.....e.....m.....g...........6.................G.....b.....I...........w.................N.................8.....0...............................................T.................b...........P...........g.....A.......................m...................................,.......................".............................#.....+...................................*...........S.................e...........S...........m.....-............ ..... ....P!.....!.....!....~"....@#.....#.....#.....$....k%.....%....$&....N'....i(.....)....X)....Y*....@+.....+.....+.....-......................s/....=0.....0.....0.....1.....2....N3

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\en-GB.pak

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):398638
                                                                                                                                                                                                                                        Entropy (8bit):5.532075614025896
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:bY/F2I4WPMdRwa/YBNSxMP9eFESofaYvskuN5jVS6B7RuKv:btpswRxMSESau5RSuv
                                                                                                                                                                                                                                        MD5:745918A5A74C7B6F4818A8BB8813F456
                                                                                                                                                                                                                                        SHA1:031F50286D003844425DDAC557E13E2EA4554BC2
                                                                                                                                                                                                                                        SHA-256:91BDBF5F1F6BCBCAF16E47865F72EC97D72C74174FB929F089D14C00989F91F4
                                                                                                                                                                                                                                        SHA-512:5A1EB0231352705BAB527AB27543612D75CB00C522620828CE2A0FDB0B47BE9DAA2DD7A192F8B4BF299007C5AF1D9515F900B9586BA44DD2BD9F4CD4436AA681
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........."..e.8...h.@...i.N...j.Z...k.i...l.t...n.|...o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.........................&...........5.....<.....C.....D.....E.....J.....W.....f.....v.................Z.......................X.......................Y.......................P.......................&.....O.....].............................o.......................R.......................H.......................$.....k.......................:.....f.....q...........:.....|.......................!.....0.....n.............................Q.....r.....~...........&.....X.....k................./.....;.............................E.............................J.....s.....~...........7.....t.......................9.....O.............................W.......................&.....m.......................D....._.....n.................F.....V.................3.....K.................f.....t...........4.....k.................*.....V.....e....................... .....{.............

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\en-US.pak

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):401341
                                                                                                                                                                                                                                        Entropy (8bit):5.524682081269705
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:1InAdQi32OqOMWvX3BO4XMP9ehWMIfaYRGrc55FSMnC/M1UwB:1IAdQqOONvXMyWMGv57SoUwB
                                                                                                                                                                                                                                        MD5:C9C2ABCB04E1AD5F1A20244DA8D595A8
                                                                                                                                                                                                                                        SHA1:89CA81DA21900074A5CCDCDC852768277B2B620B
                                                                                                                                                                                                                                        SHA-256:0364C73F320E441B03CB2AFCAACA3FFBFAC51A3559DCD0FF99A1ACCF82C7F762
                                                                                                                                                                                                                                        SHA-512:96BBF21174F56A111A2FC6EC024AB2F143945306797E77D773367A7FAD42B7828EBB7B08D0DAB76858D9FA340BF3205BE403BC53DF9E5E4E390058C94A751FFD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........."..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.#...w.0...y.6...z.E...|.K...}.].....e.....j.....r.....z.......................................................................K.......................`.......................U.......................X.......................3.....x.......................;.....b.....o.................&.....=.................%.....=.............................m.......................;.......................%.............................O.....j.....y.............................].......................!.....o.......................K.....x.......................;.....F.............................N.......................(.......................#.....b.......................!.....A.....V.............................u.......................\.............................\.......................;.....s.................\.......................o.......................e.......................%.....G.....W.................0.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\es-419.pak

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):484842
                                                                                                                                                                                                                                        Entropy (8bit):5.3948267356117015
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:IiaVobJnVwgKzEFRy7CkcrMjntvYs1kyagv8pPukXA0HjrW5fl5e+GLF47PRRIHO:gKdED+sYzTpsJ5ELF47PdbSTw
                                                                                                                                                                                                                                        MD5:C8F488B85C17431360E531AA507BE979
                                                                                                                                                                                                                                        SHA1:BEA5D66BDCC05869A0389E051A9217FD49E48FCD
                                                                                                                                                                                                                                        SHA-256:536339D99DEE6E8C01F018D4700DDD92CE063F765766A48073AEB256669680C1
                                                                                                                                                                                                                                        SHA-512:1D7F9F84A8D7C055BF705C71EFAEA817F1B9DEDD5BA314FEC6CE5324F578D3130B5541BB52FA55DB9F6E46EFA8E152D50199A61C7E2466844A4414DF65D61C22
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........""h.e.~...h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.#...z.2...|.8...}.J.....R.....W....._.....g.....o.....v.....}.....................................................h...........\.....w...........O.................@.................;...........(.....j.................(.....R.....e...........".....J.....[...........U.................T.................2.................T.....g...........<.....z.................}.................x...........P.....w.................=.....X.................1.....@.................8.....N...........+.....p.................G.......................=.....n.....y...........".....R.....\...........*.....j.....z...........m.................?.......................I.................0.......................X.................P.................%.....?.................5.....N.................g...............................................`.................t.......................e.....................................

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\es.pak

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):484986
                                                                                                                                                                                                                                        Entropy (8bit):5.367134061997785
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:6kqGWOZ1+zun+V4HgspZpGrUKjs5f2rYDoRRiN6PZGMj:6BbOSSmirpKjjs5ursoRwBA
                                                                                                                                                                                                                                        MD5:29CBDCC2168F1BB29532122C39E67A1A
                                                                                                                                                                                                                                        SHA1:F086C79D60DAF2B0A7DF91916387EFA461795DCB
                                                                                                                                                                                                                                        SHA-256:232F41AB5996C917687276E82C177DE208B36E77AA834BB5D94D6A331F4180FE
                                                                                                                                                                                                                                        SHA-512:B603EDF2A18F5893AB482B0C34E4126F824FBDD1B669927D7BC30D68E2E5BDF78D7D4B2AABDBE257987E8E19F440D9396A3683340B94C3FD844C70E34E93D8A8
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........."k.e.x...h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.+...|.1...}.C.....K.....P.....X.....`.....h.....o.....v.....}.....~.........................................g..........._.....z...........\.................H...........8.....R...........5.....q.................G.....v.................H.....p.................{.................o...........(.....F.................a.....r...........B.....~...............................................C.....h.................P.....f.................:.....I.................B.....X...........$.....W.....j.................S....._.................=.....H................. .....*.......................'.................\.....v...........,.....X.....u...........&.....M.....l...........S.....x...................................e.......................Y.......................o.................*...........>.................A.................5.................Y.....m.................8.....K.................\.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\et.pak

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):438663
                                                                                                                                                                                                                                        Entropy (8bit):5.47129533877654
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:Co6kjhAvuvJ1O7RCqDW+jDk+xdt0T5cqvT/F1AiGGZv5/je43S3apLU0xPQQbm:CoTjhouS9DVDNOX9v5/jpC
                                                                                                                                                                                                                                        MD5:5B169234895D929930140B4869A0B81A
                                                                                                                                                                                                                                        SHA1:F58BA50D1E19CE191A0F8117F3E70F7F3DCB7362
                                                                                                                                                                                                                                        SHA-256:C465DA80B14981BDBC687B7C37BF70D2BD4B8E03293C04AE5410F84C91EF980E
                                                                                                                                                                                                                                        SHA-512:C4297E272B5C04A0EE0956B873D5246591BEE98C3B340E72202F3448381C691096A5BC540FDBCF61FB40D6A69270AFA7198C1F0CCF3B2E84CABC906E23EB022C
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........*"`.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.(...w.5...y.;...z.J...|.P...}.b.....j.....o.....w.............................................................................k...........b.....}...........L.....|.................q.................!.......................!.............................t.......................s.................%.......................O.......................S.......................c...................................S.....j.........../.....Q.....l.................8.....D.................#.....3.................;.....F.................G.....U.................?.....G.................:.....I.................<.....D...........,.....g.................-.....L.....b........... .....D.....g.................L.....Y...........!.....U.................$.....>.....O.................;.....S.................W.....r...........m.................[...........!.....F...........".....X.....e.................!.....5.................1.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\fa.pak

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):720855
                                                                                                                                                                                                                                        Entropy (8bit):5.022549799082519
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:xYtlvU8u313uyqoe+slXcfqvdUzOT4imdAQifaQ2XxFvGq+MXvOthgdpxHsAQi6j:8M8u313uyqoe+seq1UzOT4imdAQifaQz
                                                                                                                                                                                                                                        MD5:F7DA0D07B54698BF8A213D0CCF1942C0
                                                                                                                                                                                                                                        SHA1:D64FFF18274EBE71A4AAA4754F9BB99D616FA000
                                                                                                                                                                                                                                        SHA-256:33BDD6EB52F648D475306F35B6103500B864672CBF39CC0FBD8C4AC84C997DEC
                                                                                                                                                                                                                                        SHA-512:CE7A7B3DF4C814A26E3FD9FDDAFC01AC1A4B2A87EF2D2893DB5D0EDF8E5B8BFE34AFB6E91FF94306248361D57C6B3BD63D116635FB756AAB74C4AED38F31C88F
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.........!..e.....h.....i.....j.....k.....l.....n.....o. ...p.-...q.3...r.?...s.P...t.Y...v.n...w.{...y.....z.....|.....}...............................................................................I.....p.....U.....&.................z.....+.................{.....;.......................d.................}.....).....o............................."...........[......................./.....{...........;...........'.....C...................................e...................................0...........9.....m...................................o...........E.....\...................................".....i...................................d...........4.....V...........|.................|.....+...............................................J................._...........L.....l..... .................W...........M.....r...........G...........C.....e...........................................................0.................s...........i.......................................... ....l .....

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\fi.pak

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):449023
                                                                                                                                                                                                                                        Entropy (8bit):5.435118446970961
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:JzlRT+nYGj1FT19iPzGI6B2Roh2jX7GsPzWvOEHGaSNLD5jYWyHRErWacu5CGWO/:JqYGFT19u5JvRa65jYdHRErWaPl0Yb
                                                                                                                                                                                                                                        MD5:1CBFA553A5B1DE642EA4C248DFE1EDBA
                                                                                                                                                                                                                                        SHA1:5DE05B3C11FDD59FF5064A153A6DCBDA33350971
                                                                                                                                                                                                                                        SHA-256:8F3E8EC0FBB471B45DB65A77DC1013E3363F387D3D0C6A458C90F371907D0085
                                                                                                                                                                                                                                        SHA-512:EA3B99BE7DA893BE8C3B228D1D3D7B644A1F5425B5380DC3E0AE0BA1BD29CF39DABE73819BCC4FA67F10A488F018E9FA2328995CB78F40AE8FDB66AA514188AA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.........!..e.....h.....i.....j.....k.....l.....n.....o.....p.'...q.-...r.9...s.J...t.S...v.h...w.u...y.{...z.....|.....}...........................................................................................2...........7.......................e.........................................A.......................K.......................).....r.......................N.....t.................q.................+.......................'.......................*.......................J.......................s.......................M.............................].....~.................-.....W.....a.................@.....M....................... .....z.......................^.......................S.................".....p.......................=.......................3.......................1.......................;.....{.......................X.......................P.................).......................w.................$....................... .....b.......................).............

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\fil.pak

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):507368
                                                                                                                                                                                                                                        Entropy (8bit):5.207212722895636
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:/a4EFuKhJ6hbb8GmxKGp7xLyBDQZSHJu0FeKznGOZ3jmF5aVmzb8ATf3H:/SXJ69BmBsp7aF58mv
                                                                                                                                                                                                                                        MD5:8CE446CAC9221F07F912BE59534D86EC
                                                                                                                                                                                                                                        SHA1:15CD1B902B26ABBE665FED518575748483A9C3E4
                                                                                                                                                                                                                                        SHA-256:B6CE37B1AEB4CA17A7F78EBC8F97C2807F588DFC4AD3E0639005C626B5C9B939
                                                                                                                                                                                                                                        SHA-512:20BE2B5C7E8FCA897109B1DC8219931EAAA1C8296B1D26DCC7F9058168FEF371D7955FB0F6C5693399B83FA81D27369EFAC8C3742059EEA2333BD66D20B8D0D8
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........."..e.L...h.T...i.j...j.v...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.%.....-.....2.....:.....B.....J.....Q.....X....._.....`.....a.....f.....s.......................W...........F.....d...........[.................]...........J.....q...........f.................$.......................1.......................t...........%.....T...........j.................Y.................-.................T.....n...........i.................b...........N.....p.........../.....Z.....w...........%.....M.....Z.................8.....G...........$....._.....u...........A.....w.................I.....{.................J.....{.................L.....~...................................^.......................X.......................H.......................q...........*.....a...........(.....R.....l...........J.....}...........&.............................1.................@.................@........... .....V.....n...........&.....N.....d...........Z.......

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\fr.pak

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):525519
                                                                                                                                                                                                                                        Entropy (8bit):5.393542369720876
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:rf94ZLoeeEfW6QuaWV5sKzTeX/Z5MYnYZMBrNWiKe5exMJSWkt40wCA73OF8WqiQ:rfB0V/r5jS
                                                                                                                                                                                                                                        MD5:A1DE4AD3D9B7AA8F122BA00CB983E49C
                                                                                                                                                                                                                                        SHA1:323D6E1B4ED75F9406BB8488D7FFC7E12FA96886
                                                                                                                                                                                                                                        SHA-256:A69F52162F6081A06F835EDE10818218DF6E211F00D0EF24561E6221F4696E61
                                                                                                                                                                                                                                        SHA-512:542F0818EA4517FDEA929F3D4938F7DE75E2A5E6D872607E548F87DE7E9CD0737FAB3F5E82AB7895F44E809279D81C490999ED055ACBDDAFE84F85E60CE2E23B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.........!..e.8...h.@...i.Q...j.]...k.l...l.w...n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}...................!.....).....1.....8.....?.....F.....G.....H.....J.....Z.....h.....z.......................N.....p...........W.................?...........$.....@.................o.................L.....x.................\.................7...................................@.....d...........B.......................k.................0.............................%.......................f.......................`.......................f.......................~................./.......................2.............................}.......................|.................C...........'.....>.................2.....P.......................&.................,.....H...........S................./.....~................./.......................|.................N...........L.................:...................................j.................2....._.....s..........._.......

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\gu.pak

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1019985
                                                                                                                                                                                                                                        Entropy (8bit):4.31663406991556
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:zIMpRrC1YKJvPF0WxrHYCjXCl3HIwjAwREJKVMjNiT7llj63rFWlPvpqi5eQWkYh:8QRu15JvPHxMCjSlLTkh015cVhYYHB
                                                                                                                                                                                                                                        MD5:02BFA1114FD5B75261C24D6C0E6441F7
                                                                                                                                                                                                                                        SHA1:D48B80339405CB8C8EC7A19B688E8D544938C4C7
                                                                                                                                                                                                                                        SHA-256:BBB17268412FB3E13584CA4DC90A94F984177D3C97EE89AF2A57324709F8ED1D
                                                                                                                                                                                                                                        SHA-512:751B91D381C882A5DC0C0EE6313CF3E7EF51B4D369330A169CF9625DE99E6019233109E815FC474FAE44D79235940BA2CE68AF7033F4C4C994E2774BBD8105BE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........."x.e.^...h.f...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.#...|.)...}.;.....C.....H.....P.....X.....`.....g.....n.....u.....v.....w.....|.......................&.....b....._.....0.....l....._..... ...............................................a.......................G.................r...........\.....|....._...........z.......................V...........n.....B...................................7.....4...../.......................".......................4.....p...........P...........E.....m.......................................................................'...........}.......................C.................j...........u.......................\...........K...........R.....{...................................b.................'...........t............ ....9!....|!.....!....."....W#.....#.....#.....$.....%....3&....f&.....'.....(.....).....).....*.....+....<,.....,....|-....H................../....s0.....0.....0.....2.....2.....3

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\he.pak

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):630920
                                                                                                                                                                                                                                        Entropy (8bit):4.630663820009303
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:6iRfEbxhQ3SxsheRvre4maaW/gNZpl60XA4OX78eQCap4X59U4omhV5ylm7eDnw7:6iReew53ok
                                                                                                                                                                                                                                        MD5:9FCCB330D8B07CA54661407CF737D847
                                                                                                                                                                                                                                        SHA1:2C6F52801B66AAC7D08ACB60D9736F9149E48AE5
                                                                                                                                                                                                                                        SHA-256:BB06D364A91B8641724254822B2EEC5D0675E262A4CBF93B92494F601807DBEF
                                                                                                                                                                                                                                        SHA-512:0CBF36643CC7B1D85DC7CB7825BC816A8538D0CC50B137DD27D5A9703324AE7FF271D38DC0CD6E4A99C6B391070690B90EB8DDB1CC511BC8D84D49A32D36C34C
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.........!..e.....h.&...i.7...j.C...k.R...l.]...n.e...o.j...p.w...q.}...r.....s.....t.....v.....w.....y.....z.....|.....}...........................................%.....,.....-...........0.....G.....`.....y...........[.......................E.............................k.................p...........?.....a...........V.................#.......................s.................K...........b.................r...........Q.....p...........g.................O................./.......................#.................4.....a...........K.....}...........'...................................H.....[...........Q................. .......................Q...................................:.....M...........t.................e.........................................@...........7.................E.................=.................&.....?...........".....S.....l..............................................."...........J.................s...........@.....g...........S.................\...........I.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\hi.pak

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1072787
                                                                                                                                                                                                                                        Entropy (8bit):4.2950102192986686
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:TOsoU87801sObZWjUNOBKV/BB0ZV1dsuOlzLZW3XHLeOTByntDPtDlqpZs4J/8Wq:xfElWjuOGy5I5oJJa
                                                                                                                                                                                                                                        MD5:CD91036827739441E4CC849AA30706D6
                                                                                                                                                                                                                                        SHA1:CC8E4C53E18DB16876F855C2377F3CF0E2ABF95A
                                                                                                                                                                                                                                        SHA-256:0936587AA072339F8DC347506E5553159319A686010CA1912BED1D830E107C6E
                                                                                                                                                                                                                                        SHA-512:553773BDC11BE94F495B88E0587D572455EF68C182D51C9E1AE0E3AA23744F836996A446ED136AFC562EB9A110E435B494D5955D2792A364A619111E7B3550E6
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.........!..e.....h.....i.....j.....k.*...l.5...n.=...o.B...p.O...q.U...r.a...s.r...t.{...v.....w.....y.....z.....|.....}.........................................................................*.....O.....z...............................................?.....z.........................................^...........`...........n...........V...........Q.....t.....[...........^.............................\.....6...........f...........v...../.............................\.........................................Q.......................:.................K...........%.....>.................:.....k.....*...........<.....[.......................'...........z.......................Z.............................d...........P...........H.....t...................................F.............................. ....s ....'!.....!.....!....5"....)#.....$.....$.....$.....%....y&.....'....R'.....(.....).....*.....+.....,.....,....c-.....-.........../....V0.....0.....1....^2.....2.....3.....4.....4....\5

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\hr.pak

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):489113
                                                                                                                                                                                                                                        Entropy (8bit):5.523236785909083
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:L5ntcJhHDvjz84N5dkYjjaBV08IRpy+w4DrRkpNAyFOSGqf3rrHlcIG0uP1aSNZA:/cJhvNcw9PwUGMly5Ur7jdicO
                                                                                                                                                                                                                                        MD5:EF62A50CC098AFCF3FAB69C7502219E9
                                                                                                                                                                                                                                        SHA1:DB474CF332C90DE660FC575EF897D5389B65784C
                                                                                                                                                                                                                                        SHA-256:07EFFA557C8BC822626C05A4D299296F88D3DA0654248C326D796F7C2DE3EC64
                                                                                                                                                                                                                                        SHA-512:7AE6F40C7BF404532DF0BC2FFA449E0D99DEBC2B9816450ED0D015B1634DD96CD5650AB6AF5A6D44D52D0E3C9C81836EE350210C4F8A13BE6CC0CB796A630350
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........."\.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.0...w.=...y.C...z.R...|.X...}.j.....r.....w...............................................................................................m.................Z.................+.......................y.................0.......................,...............................................4...........1.......................s.................3.......................U................./...........H.................-.....~.......................X.....z.......................>.....N.................H.....].................:.....I.................L.....a.................4.....D.......................,.................g.................".....D.....a.................'.....G.......................4.................Y.................5.....Z.....p...........=.....o.................i.................a...........<.....N...........6.....t.................[.......................8.....V.....h...........D.......

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\hu.pak

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):526055
                                                                                                                                                                                                                                        Entropy (8bit):5.6492163480603805
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:RG4U0RnIyvDoBrDu9O5gVHPCegBAcnky1FB56wqZfK81YX56xTkXqeJrn5gRSDCO:RG4UMnbguUdAIB56wKk6qjrn57iLW
                                                                                                                                                                                                                                        MD5:51B14B96D1B9FA99ED849347A8954133
                                                                                                                                                                                                                                        SHA1:5259B749576A9612E429A665DFC8BF47651C39EA
                                                                                                                                                                                                                                        SHA-256:70D4A0724A2E0E80EC047E7683EEC7715C0FB5F88795CC97A63E4C2EE2237800
                                                                                                                                                                                                                                        SHA-512:B68D4BC792F29DF210602A557D0B3333A95E30CD03A0A4CB5F537C9C51DA9937119391F2A359C03FB874C1F540C23F44BEF121E45F048F32B1DB06D67A0BAD1B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.........!..e.$...h.,...i.=...j.G...k.V...l.a...n.i...o.n...p.{...q.....r.....s.....t.....v.....w.....y.....z.....|.....}.....................................".....).....0.....1.....2.....7.....G.....].....r...........4...........U.....s...........j.................F...........,.....F...........>.....t.................g.......................u.................[.................>...........e.................S...................................C.....S...........V.................K...........7.....V...........J.....v.................k.........................................Q...........-.....D...........N.........................................i...........7.....L...........R.................#...................................).....E.................<.....e...........,.....k...................................k.......................a...................................C.....d...................................;.................S.................6.................5.....Q...........B.......

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\id.pak

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):431922
                                                                                                                                                                                                                                        Entropy (8bit):5.389359401295906
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:DT9syVtlTqQWoK3UqC1s/fjeVnjHFm6mPAJc25TVh5vtblSzjsEaeh:D5suavkqHiVnjHFnm4Jd5TVhIh
                                                                                                                                                                                                                                        MD5:3B5E08406059D1A76566E9A5D4C9B15A
                                                                                                                                                                                                                                        SHA1:6BF45F2647E959EC1B545763180E8F29961AB3E1
                                                                                                                                                                                                                                        SHA-256:60409D8B785DD057E3495190B18E6D6D235D8313555341CBA5F64327E3D8C3AA
                                                                                                                                                                                                                                        SHA-512:6C4150C064EDF6ED0B83B216CE62134BBAB12137E6B45749DAD08D1D1734B3365309414900615137C6ACDD12250ADD5C69A222DAA7984A94EE850AAA55AF1B8F
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........."..e.L...h.T...i.e...j.q...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}. .....(.....-.....5.....=.....E.....L.....S.....Z.....[.....\.....^.....l.....y.........................................6.......................'.......................C.......................F.......................$.....h......................._.......................j.......................V.......................5.....b.....o...........5.....p.................^.......................;.....V.....g.......................+.....y.......................R.......................9.............................b.......................;.....h.....t...........".....T.....a.................K.....].............................`.......................8.....~.......................b.......................9.....S.....a.................A.....P.................H.....a...........Y................./.......................B.............................Y.....x.................G.....~.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\it.pak

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):477964
                                                                                                                                                                                                                                        Entropy (8bit):5.300124197784544
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:Y+mNNNc5Rqviax9RwYMfjNBYISOqRRRsO1Stk+RT9Tjex5GOt/ELmubPUvbT9fL1:YjTNARqvwO3eZ3A8lhHtRA5hlo6
                                                                                                                                                                                                                                        MD5:4E7AB6A5D407BF4D3F96671D65E467F9
                                                                                                                                                                                                                                        SHA1:67F43053CCD167F2CE6D945202F64DF29EE1AC49
                                                                                                                                                                                                                                        SHA-256:20408C09D9447F44AA920F2529D231072DB8BB9C0C8B8FAFA2DB733561EB6964
                                                                                                                                                                                                                                        SHA-512:BF493E1A1C0898F7A54F8A5278DC0CA345E9937EFE269B1BD3A3BC90645D767070EC9C117DF001F8C3B51B4A383C30F025DAF79606AC1840FCC5878AD4C53624
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........."|.e.V...h.^...i.o...j.{...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.*.....2.....7.....?.....G.....O.....V.....].....d.....e.....f.....h.....{.......................K...........9.....U.................\.....m...........e.................u...........).....R.............................q.......................t.................8...........0.......................}.................;.......................X...................................i.................5.....a.......................C.....Q.............................~.................0.............................f.......................:.............................d.........................................H.............................L.....b.....x...........&.....R.....g...........C.................%.....h.......................>.....i.....|...........a.................i...........Y.....p...........j.................a................./.....|.......................^.............

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\ja.pak

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):584193
                                                                                                                                                                                                                                        Entropy (8bit):5.694400988777854
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:WzLA//bCXyIrwdzzln44dZns2C4tb85BnDxV5:ALA//OXyqw9RdZns2C4+5BnV
                                                                                                                                                                                                                                        MD5:74E2430CF18DB7ECAE2A9B1FEEB049B5
                                                                                                                                                                                                                                        SHA1:362A5F3E4D8A79B9D0B041D62A8A5233E20FB208
                                                                                                                                                                                                                                        SHA-256:1A726C500B5B3EFDBC7B9E6626765DCB8957005F9C072C09D1F517587D6B673A
                                                                                                                                                                                                                                        SHA-512:324D0BA770C09CCCAC4C59E0E0605846A4E18F32CC79F14FBD4E5B0172F439EF8DEE538F686458B3A07E5E8B4528EF67AA5D339AE25F7C601C9A302CAA7970F9
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........^!,.e.....h.....i.....j.....k.#...l.,...m.4...o.I...p.V...q.\...v.h...w.u...y.{...z.....|.....}...........................................................................................9.....Z.....{.........................................D.....\...................................f.................{...........#.....5.................0.....@...........*.....[.....z.............................a................................... ...../.................G.....V.................................................................`.....{...................................0.................,...................................L.....^...........I...............................................6.................6.........................................>...........*.....~...........2.................0.........................................^.....y...........N.................F...........N.....c...........|.............................C.....d...........R.................7...................

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\kn.pak

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1173741
                                                                                                                                                                                                                                        Entropy (8bit):4.225519544497436
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:vLwIIKo4A60R0RevnIS7d5EnUj+uF+h0FJ:vMIIKUz5SUz
                                                                                                                                                                                                                                        MD5:56C5F63F439CC962B815BBC4F3F12C32
                                                                                                                                                                                                                                        SHA1:C96248CAFD869FEF11BC37AEFB1382D0F60A7855
                                                                                                                                                                                                                                        SHA-256:14B332541C2CCE0835202372F8CC822AEF30B3575B651C96219A88B8D1381648
                                                                                                                                                                                                                                        SHA-512:9210759D8E73266381FBF04280AAD0BC5006F315CE3FCA74FE304B3261AF0BA399210F0B84620230D6AA0C667E60C0A6D9E67681FDFAC401338E9331475BB7F6
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........1"Y.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.!...v.6...w.C...y.I...z.X...|.^...}.p.....x.....}......................................................................._...........*.....^....._...................................v...........j.............................g.......................D.....1...........{.......................1.............................9.....?...................................c.................................................................2.....}...........n...........S.....f.........................................7.....q.....E...........z...........Q...........t...........x.....0.......................V.................".....! ..... .....!.....!.....".....#...._#.....#.....$.....$.....$.....%....a&.....&.... '....H(.....).....)....%*.....+.....+.....,....^,.....-....Z...........9/.....0....J1.....2....e2.....3....L5....J6.....6.....7.....8.....9....,:....d;....I<.....<....<=.....>.....>.....?....X?.....@....tA.....B

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\ko.pak

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):492782
                                                                                                                                                                                                                                        Entropy (8bit):6.069818388014136
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:+nSZ8uRit3zdYBb/XHcit8OQ4EVhrxsRCqR5A7eVt+8ftKq7hUomrOe7nB:USZ8uRDcu5c8TQnB
                                                                                                                                                                                                                                        MD5:A9B446BB79B0E5D0B4AF4F7243B1F3E2
                                                                                                                                                                                                                                        SHA1:FCF962506B32B34A6315ED61ACDECE33DF3DBF23
                                                                                                                                                                                                                                        SHA-256:507FC8D2A468456F2842B65A111FC0C74FE1F56D5F5AC0D6E743AEF186B43B2F
                                                                                                                                                                                                                                        SHA-512:E7F281206BD481427A75B581F8B2A435EB8A29BD8B5586A8DB78605B1C1BBC20DC1F4B2FF92D04C62FB509DC6E1E062D1D584C195E386C5C2FFDA0F764276AA6
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........F!D.e.....h.....i.....j.....k.....l.....m.....o.....p.....q.....r.&...s.7...t.@...y.U...z.d...|.j...}.|...........................................................................................................I.....g...........@.......................x.................;.......................Y.......................^.......................m.......................~.................3.......................).........................................#.....3...........6.......................L.....p.................-.....R.....b.................-.....=...........!....._.....{...........?.....s.................J.....~.................M.....}.................K.....|...................................B.......................2.......................=.......................W.................+.....|.......................G.......................J.......................]........... .......................8.....O.................F.....Y.................,.....?.................0.....C.......

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\lt.pak

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):531495
                                                                                                                                                                                                                                        Entropy (8bit):5.642978583072715
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:Z8zeZddcMEXRfMAYVeXWjCCM5Gz52uxSog6Sbt:KzudcMERMHO2M5w2wSo+
                                                                                                                                                                                                                                        MD5:49201FAE17B715A15FA03C4D89DD2176
                                                                                                                                                                                                                                        SHA1:7C559C174850DE48C4A2837FE32C58F74D8150B3
                                                                                                                                                                                                                                        SHA-256:4A80792CB9A401EBFA7EC3212182B5024D651CA6A5EAD8FC9809D0D3AD4803CD
                                                                                                                                                                                                                                        SHA-512:3016F721D77206E13E275E7EEA1ADC95D403FEACCF595EACF933940485031E9AAC0C29B6F47A9FF5F73B08C354B7B82C72193C83E1FF09D84CB5B9B72B708166
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........."p.e.n...h.v...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.*...|.0...}.B.....J.....O.....W....._.....g.....n.....u.....|.....}.....~...................................V...........D....._...........u.................o...........I.....c...........Z.................$.......................c.................6...........0.....d...................................t...........$.....5...........#.....].....m.............................v...........T.....r...........T.....{.................y.........................................g...........%.....8...........,.....f.....u...........s.................?.......................u...........#.....1...........d.................H...................................S.....{...........m.................M.................=.................6.....I...........p.................c...........*.....N.........................................H.....h.............................J.......................j...........:.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\lv.pak

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):529136
                                                                                                                                                                                                                                        Entropy (8bit):5.634149006390685
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:oAbYD8by28DerxZMNmtVFItX9a4jXcmZib3z5SyT2otETUswxqEAYRFoDs1r:oAbYcFk5I4owiz5pETKqns1r
                                                                                                                                                                                                                                        MD5:335158EFE454819A0DC8DE0EDB0F0E90
                                                                                                                                                                                                                                        SHA1:85871F85F626DB1FC597EF24C79C84115A66C17E
                                                                                                                                                                                                                                        SHA-256:113073CF60AE3D2BCF8A61DF655762E34BA28E4B35B97DE33C18E13F959D76FF
                                                                                                                                                                                                                                        SHA-512:F81733BCA3FA65C789630B55C4F414A8541E71C4E1ABA56BDB9D231CE189677B3BFF4DC57C92FBE1CBC88F1F2F7FBF1A7E4319A8918C50409FCBA958D743CCBC
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........8"R.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.&...t./...v.D...w.Q...y.W...z.f...|.l...}.~.....................................................................................................p.................]...........(.....;...........p.................\...........-.....L...........+.....g.....r...........g.................#.............................9.........................................m...........3.....F...........j.................X...........N.....o...........:.....`.....v...........C.....l.....~...........Q.....x...................................]................. .................E.....T...........=.....p.................y.................V...........I.....a...........$.....?.....T...........S.......................y.................>.................H.................5.....N...........R...............................................P.................N................./...........*.....d.....t...........F.....a.........................

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\ml.pak

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1219982
                                                                                                                                                                                                                                        Entropy (8bit):4.262128412360071
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:enA2cMmsbbAxRnxffi177/zY8Cmn1py1rcC3e2hh5L/7djZ8fI3pI:sSdiZ/C3eI5L/7X8w3e
                                                                                                                                                                                                                                        MD5:1030C08FFBBE7366CE5B7D55BC8ECC0F
                                                                                                                                                                                                                                        SHA1:B45B53C1E47A0051560C607874357130C499563D
                                                                                                                                                                                                                                        SHA-256:E1F97CE3011D9231F23FE033BDBB0905C173921B18402D362BFC35224FF67DB7
                                                                                                                                                                                                                                        SHA-512:3B9127A0EEC02F75F79C66F5F7845B65C4EBE2E6A33989C7686815FFE0651BE47D42F55C2F32A67A221495A8BEBF043D853DF7B244A68F89390044210E52DD3D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........2"X.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.#...v.8...w.E...y.K...z.Z...|.`...}.r.....z.......................................................................0.....p...........".....f.....O.......................c...........1.....~.....m.........................................z...........*...............................................U.................y.......................x.......................A...................................j.............................v...........................................................6.................b...........z.............................z...........%.................c...........o.....7 ..... ..... .....!.....#.....#.....$.....$.....%....-&....e&....*'.....'.....(....`(....<).....*.....*.....*.....,.....,.....-................./...."0....f0.....1.....2.....3....`3.....4....a5.....6...._6.....7.....8.....9.....9.....:.....;.....<.....=....9>....4?.....?....'@.....A.....A....qB.....B.....C.....E.....E

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\mr.pak

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):999814
                                                                                                                                                                                                                                        Entropy (8bit):4.292642596004364
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:FUob5vNBksvu/nTuViFo0vYJGVXUPC9hY7xFEMUCG3GRw3RkR3KtOu1zLAQ4BmHs:Fvb5Du/ni50i0r4Q5gRJp5Rprwg
                                                                                                                                                                                                                                        MD5:EAFB18D633064D0F02A3EFF3EFF9AADD
                                                                                                                                                                                                                                        SHA1:A8846E473014BE80125630F1C5B51366220FF018
                                                                                                                                                                                                                                        SHA-256:FCB7C4AEED28AE4D16FA7B82D9571165AAB0FDD46EB65D3AB29007231630CCEF
                                                                                                                                                                                                                                        SHA-512:D332A4B7F4CB1583A5BF5CE08FDB46661A5BCCBF0A66F7F5AB6CE04367E9BC589588DCB32F443695A3AB129DC50D2962ED4C138F97858639D4EA37C117E23495
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.........!..e.....h.....i.....j.:...k.I...l.T...n.\...o.a...p.n...q.t...r.....s.....t.....v.....w.....y.....z.....|.....}.................................................#.....$.....%.....*.....L.....n.................1.....i.....'.....c.................V.............................F.....L.....I...................................2.................2.....R.....\.....:.................t...........{...............................................o...................................^...........k.................u...............................................V...................................4.................[...........N...........o...........R...........k...........^.....(........................ ..... .....!.....!.....".....".....".....#....B$....x$.....$....f%....,&.....&.....&.....'.....(.....).....*.....*.....+.....,....Q,.....-....z....../....L/.....0....[1.....2....A2.....3.....4.....5.....6....Y7....c8.....8....q9....z:....X;.....;.....;.....<.....=.....=.... >....A?....5@.....@

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\ms.pak

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):453603
                                                                                                                                                                                                                                        Entropy (8bit):5.263221817977717
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:w7Iw1hcujkKorUX7mxbIFYRl1X7ezIrR5sbZKMMEVdED:wswfcugKwUKxbVl1reg56lMr
                                                                                                                                                                                                                                        MD5:3D0DC94A638F98D9BF3C0F60F89A0C95
                                                                                                                                                                                                                                        SHA1:A979B04C65832D908305FB0406CB0653271AD744
                                                                                                                                                                                                                                        SHA-256:A9F9AE23A3BC2AC919C5B46D16B7E1F3BFF73698D2626260196210E101D119C2
                                                                                                                                                                                                                                        SHA-512:6D687F1EB9A7FDA3791295487063393B8F0A7409B55461B185AAF106C596229DE6988114230625D6504B869D25D7A624BC3B90D66A0BDF561CB05A57D5B87C15
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........;"O.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.#...t.,...v.A...w.N...y.T...z.c...|.i...}.{...........................................................................................................q.................L.......................n.................5.......................O.......................C.......................E.......................k...........$.....<.............................i.......................W.......................t...........A.....S.............................`.......................6...............................................).......................".............................p.......................c.........................................3.............................e.......................H.....q.................1.....f.......................).....5.................'.....6.................D.....]...........T.................&.......................>.............................b.......................B.....o.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\nb.pak

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):441512
                                                                                                                                                                                                                                        Entropy (8bit):5.436019023287174
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:Zx93W1+5dOY/k7Op7fszJPMh5br46Iofh:Zx93W+rXePMh5n4PS
                                                                                                                                                                                                                                        MD5:9C18DFA9E69C1D7810132800D084136C
                                                                                                                                                                                                                                        SHA1:BBAA9576E1B012DF33D79A5DC7776C00E67295E4
                                                                                                                                                                                                                                        SHA-256:4F3BABCBEC0D138654EC59FD8AB5FD58DA2273237A587928B9687928C7CA10FF
                                                                                                                                                                                                                                        SHA-512:A82B1E340A25A3858906DED73624BD0BE4B3CCD1F5728560480B4A4E3A78529F5A178D20CF7D95FD55DED7CA4FA95A5FFF87D89F0520EA08B54E7B99C9057D6B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........ "j.e.z...h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.'...y.-...z.<...|.B...}.T.....\.....a.....i.....q.....y.................................................................n...........a.....v...........?.....x...................................k.......................l.......................Z.......................[...................................,.....O...........\.................6.......................r...........7.....Q...........q.................0.....|.......................Q.....v.................4.....Y.....i...........0.....h.....|...........<.....j.....z...........B.....t.................7.....`.....p.................\.....j...........T.......................b.......................F.....e.....~...........+.....M....._...........L.......................v.................#.......................8.......................F...................................Y.................J.....v.................%.....B.....P.................I.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\nl.pak

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):455078
                                                                                                                                                                                                                                        Entropy (8bit):5.3792948383662385
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:HLTFwwa9TZgO73giDngp97gVvG5hHhpXCFbG559toxeGpbhN+gyPTC:rTF89T6gVvG5l1559toxeGpbhNuPTC
                                                                                                                                                                                                                                        MD5:5CDE06A63C9DC07FDBB0FDC94E403D00
                                                                                                                                                                                                                                        SHA1:11BE56054908F1F9CD56AB77692FE3717EE91EE8
                                                                                                                                                                                                                                        SHA-256:3B9ED5ED0DD07D8FA67412A046AB085137542C156876DBFE6F83376571AF91A3
                                                                                                                                                                                                                                        SHA-512:2716496DCBF76CC2DECE938103813A8DBC17D4C795B4E3459A572DE4F62F9AC0E1788DE3A21F5FB287AD364DECBD541A5E3BDDD406E130D2A9C72118CCEE5390
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........."..e.B...h.J...i.[...j.g...k.v...l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.............#.....+.....3.....;.....B.....I.....P.....Q.....R.....T.....`.....p.................!.......................p................. .................L.....b.........../.....e.....|...........'.....P....._.................3.....A.................P.....q...........I.......................^.......................m.................+.......................t...........3.....L.......................#.....q.......................E.......................4.......................6.............................n.......................M.....y.................B.....v.................a.......................p.......................V.....w.................D.....l.....~...........P.......................U.....s.................K.....}.................`.................F.................-.................].................M.....~.................6.....Z.....j...........,.....Z.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\pl.pak

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):509320
                                                                                                                                                                                                                                        Entropy (8bit):5.773091636307711
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:v+GWoOB/ZBjSowU/b+Xgv2iWWbafPfCUdxe3mdU8dmo1Qhwal5cNL4U+8/:GIPb71Qhp5ZM
                                                                                                                                                                                                                                        MD5:B44FCF9FDC4EC7BB5E72CAE30AA15C01
                                                                                                                                                                                                                                        SHA1:DAAAE4AA7987BCCE299995FEEA5C54F2D77B61D4
                                                                                                                                                                                                                                        SHA-256:7F1A8392FE3AFF4E6BB4BACBC1F4B395F08ECAFDA9F81E36B41B77FB4AB0BC76
                                                                                                                                                                                                                                        SHA-512:52B46D7AFFAC4949FA19841D26D2F4BF877E36CBDA4B75F3FF289A7ABE9A80C2A014B1AE23D3079F4D31ED5FA76C320103733284A2C13D99A451810407325674
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........."o.e.p...h.x...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.*...|.0...}.B.....J.....O.....W....._.....g.....n.....u.....|.....}.....~...................................f...........a.....}...........K.................*.......................w.................,.......................!................. .....2.................?.....e...........[.................8.......................N.......................z...........>.....Z...........k.................G.............................S.....v.......................:.....H.................J.....^.................L.....^.................D.....T.................+.....;.................+.....<...........&.....s.................%.....B.....Y.................#.....I.................9.....N........... .....o.................9.....W.....n...........!.....G.....c...........@................."...................................5.....`.................G.....X.........................................,.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\pt-BR.pak

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):479561
                                                                                                                                                                                                                                        Entropy (8bit):5.4365485252742225
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:Z2goEz6oEyiXNBXBLtmiJWpyCp5c4JkjIsR/kVdw:ZXoHHyv5bJvsRcVu
                                                                                                                                                                                                                                        MD5:DE8FF9456BA9EA999D0D1BC9B831E7CE
                                                                                                                                                                                                                                        SHA1:1D67C6DD97FCF221C71137CC8B1946368807ABA8
                                                                                                                                                                                                                                        SHA-256:B32FE8F602EC9800D59806E097E369FD065D8FBF473DA40FD29289493489930C
                                                                                                                                                                                                                                        SHA-512:5A3A48DDAD801382EC9065C6160698DD746AAE810374C2B772D521A1764E7E0FD2C28C5DD1CDCCB50834D699EE19441713FE10A91DDDEAD46BA0CFF3EDBD6984
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........."l.e.v...h.~...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.#...z.2...|.8...}.J.....R.....W....._.....g.....o.....v.....}.....................................................r...........Z.....v...........=.....v.............................".................!.....6.............................l...................................H.....x...........m.................H.......................m...................................Y.....r...........~.................C.......................#.......................!.....|.................$.......................'.....~.......................].......................7.....e.....o...........,.....d.....u...........p.......................x.......................I.....o........... .....K.....c...........\.................@.....e.....~...........F.....~.................a.................N...........(.....>...........?.......................f.......................>.....d.....y...........Q...................

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\pt-PT.pak

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):480680
                                                                                                                                                                                                                                        Entropy (8bit):5.413568252819253
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:2MyBFs/8K4/ieJVJJxh0plLGDf0wz5+KKSR+v:2MyBFx1z5+KKSR0
                                                                                                                                                                                                                                        MD5:002D5B37E68A0725DD7D89FE3FC7EC48
                                                                                                                                                                                                                                        SHA1:545DE8047D3F89150516B95031965ADC8F17DF68
                                                                                                                                                                                                                                        SHA-256:1FADFF356A7E89A8FF2AF3DDF84F70FD0CE69525C7787F8ADAE10BEED9D76D4E
                                                                                                                                                                                                                                        SHA-512:ABAD6CBB30A958BB84A521A66636AF4221A9F63774122D3AC3B552503930AD83D343EC4C8109C8031CAB17C546EF7549AA0F87746E39A80F6758FAD28ECEE129
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........7"S.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.$...t.-...v.B...w.O...y.U...z.d...|.j...}.|...........................................................................................................z.................`.................I...........).....D.........../.....s.................:.....d.....t.................H.....Z...........H.........................................h.................,.................+.....;.................Y.....n...........d.................9.......................$.....~.........................................,.......................4.............................u.......................N.....{.................<.....p................._.......................o.......................4.....N....._...........#.....P.....j...........C.......................Y.......................C.....y.................O.................=.................0........... .....g.................n.......................b.......................j.......

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\ro.pak

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):498034
                                                                                                                                                                                                                                        Entropy (8bit):5.462067165925256
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:vTONXXaMqapFzWovxpllKueGP5fBo0xs2h/bulOa:vCXXaMzFzWoJplQuN5Zo8/na
                                                                                                                                                                                                                                        MD5:7056FC61DE4A16C7F4F5BF44D2E87F8A
                                                                                                                                                                                                                                        SHA1:99D16DCB3B1AEFC472601439F630E1244B1AA277
                                                                                                                                                                                                                                        SHA-256:B7BA9435D82F6BEDD7005B6E868EE86F0BB6C4D7B312FE5F5D4AFBD440AD5B85
                                                                                                                                                                                                                                        SHA-512:529152DA39F7ADE6713206FA9F767B35B9BF03816387579522EEA78AC7D0E150BAD557FCDBEF51E76D52E39F61A0B4E54FF6A3B592EB7E34FAFDB98AFE460F7C
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........."u.e.d...h.l...i.}...j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.$...}.6.....>.....C.....K.....S.....[.....b.....i.....p.....q.....r.....t.............................A.................9.................3.....G...........N.................?......................._.......................B.......................Q...................................L.....p...........N.......................r.................-.......................~...........N.....|.................9.....V.......................%.....v.......................[.......................X.......................E.............................k.......................S.........................................M.............................e.......................j.................7.................".....t.......................e................................... .....5...........2.................'.......................t.................$.....x.......................z...........9.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\ru.pak

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):816954
                                                                                                                                                                                                                                        Entropy (8bit):4.834266897182259
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:m35b4e7TKfQjRo4YS7yODNKg/z+iIaJqShsNoqcnYHReXN2hsO3j/MvbzvMCsjAF:mlPf+V5l6pz
                                                                                                                                                                                                                                        MD5:91379A583D22FA9343ED466C261366FF
                                                                                                                                                                                                                                        SHA1:61E8C39235945C4F38807B14AC74DA7D3257759A
                                                                                                                                                                                                                                        SHA-256:0D4D0B8052519848ABD182C44DFBF444A77A0C6994965C4A3001F0A3A4D1459E
                                                                                                                                                                                                                                        SHA-512:DDE26B59A1E5F94D5B245F47399D7A9D3DB8D247037331A471C39B1D7E79E236C5A0732FEA4C53B843D8EAFF1F54CA155A816A193B7BAA870FC458A5AADF76BE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.........!..e.:...h.B...i.S...j._...k.n...l.y...n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}...................#.....+.....3.....:.....A.....H.....I.....J.....L.....i.............................F.......................(.......................Y.............................\...........E...........M.....p...........".....f.....}.....1...........#....._.....R.............................".....t...........P...........1.....V.................8.....e.....i.....c...........2...........E.....r...........3.......................t................./...........4.....m...........8.................7...........:.....u...................................W.......................(...........t...........).......................i.............................!.......................C...................................-...........\...............................................7.............................0...............................................;.....T.....,...........I

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\sk.pak

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):514787
                                                                                                                                                                                                                                        Entropy (8bit):5.823755040121771
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:MjsFAECOdqsskQcNfytiEmap5DvojL6xuXLPxt9Y:2ydqswgyRp5UjLnlt6
                                                                                                                                                                                                                                        MD5:78BC785A75EE512391A9CB462A771C09
                                                                                                                                                                                                                                        SHA1:229D39E017174DC0A8CEFCFCC72B0FECA94D6208
                                                                                                                                                                                                                                        SHA-256:EC15C82956EBDDB7B246C78045AD414ED34CA97D890A915070E252C8715096B0
                                                                                                                                                                                                                                        SHA-512:96556F6072E69351E1BBCE06BBF896B1AD53060C7CBAF7928EEBBE0F610F5E8778B2B8B97A5A268B7942A1C8D1ADC6BEA0403383A2A5BB99049437E95D575EA0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........."u.e.d...h.l...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.#...|.)...}.;.....C.....H.....P.....X.....`.....g.....n.....u.....v.....w.....y.............................l..............................................._...........3.....M.................W.....n...........=.....l.................8.....a.....u...........N.................C.................2...........).....d.....}...........`.................3.............................).....z.................K.....k.................A.....g.....y...........:.....a.....s...........S.........................................&.......................7.......................V.............................1.....|.................4.....O.....c.................4.....I.................K.....[...........X.................-.....{.................1.......................Q.............................S.................N.........................................+.........................................I.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\sl.pak

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):494964
                                                                                                                                                                                                                                        Entropy (8bit):5.49413802901098
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:tWAZlfdLptj7B2jJiV95b0cnJHje7i/fzvJqv:tlZDptjrV95b0cui/fzvi
                                                                                                                                                                                                                                        MD5:E76E473C419C25768B08A95A2822918F
                                                                                                                                                                                                                                        SHA1:0FA7E2FCABB03A8788F50F1D4B4EB383C833E9BA
                                                                                                                                                                                                                                        SHA-256:FCD27A9F5CB4B4BE373DA7076A8232006EBE020999FDF90D20745F16CD7EF223
                                                                                                                                                                                                                                        SHA-512:E39AE0ACBB7D148D6ADE676D92E83FA9FB433230BAE4339C31693A538198BF0679ADEF51883B96F8DFBCC8593A982544C64A2B265897F35A693183B27070EA5B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........."..e.F...h.N...i._...j.i...k.x...l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}....... .....%.....-.....5.....=.....D.....K.....R.....S.....T.....V.....h.....v.................+.................&.................-.....>...........J.........................................#.............................r.................'.......................g.................3.................K.....a...........5.....l.................z.................k...........<.....b.................(.....@.......................%.........................................<.....P.................J.....[...........A.......................S.......................W.......................s.................*.............................d......................._.................0.......................a.......................Z.......................z.................,...........v.......................6.................5.......................1.......................#.............

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\sr.pak

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):763089
                                                                                                                                                                                                                                        Entropy (8bit):4.7513575774952015
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:5cDypz07IT6KvuDeqIdl11i8gFeYTotLA5s2MxMxmobA370JMS/k/M:5ceV3QCA5exBI
                                                                                                                                                                                                                                        MD5:48ABF758A49E2E8AAB013F2BF56091C0
                                                                                                                                                                                                                                        SHA1:CA909BC28B03BF959AC32E218A318289E0BADBF0
                                                                                                                                                                                                                                        SHA-256:B4CF2D19B5E443B57CA9D1189880458A7CACFE1C8B231265557A3FB58F597617
                                                                                                                                                                                                                                        SHA-512:22D65DF1CD35A8127296420A699F26EDF55813FD6A970050DC9B2B051AAF7DA2CF2FE6314A94977587021C02AA7D8B42541E1D08D5940FB7E1AF127E87268C68
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........&"d.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v. ...w.-...y.3...z.B...|.H...}.Z.....b.....g.....o.....w.................................................................?.....,...........m...........e...........r.................[...........#.......................I...........x.................w...........4.....K.......................G.....G.............................-.................v...........o...........z.....1.............................i...........6...................................>.....a...........^.................y...........z...........I.................?...........X.................Z.................>...........m.......................[.............................=.....e...........t.......................&.....s...........`...........S...........F.............................f.......................G.............................K.....i.....W...... ....p ..... ....t!....."....S"....t"....."....o#.....#.....#.....$....=%.....%

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\sv.pak

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):444074
                                                                                                                                                                                                                                        Entropy (8bit):5.5541915821924555
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:NoWjWd1DOBvgqLMxTFyxycT4RFcm/8GM4iMjSO9DE/xWcqVj5fY5p6gKb7:NoyWHwvg9FN5w5po
                                                                                                                                                                                                                                        MD5:06C878C1538813E5938D087770058B44
                                                                                                                                                                                                                                        SHA1:C8AB9B516B8470BDEE86483151AE76368646BFFC
                                                                                                                                                                                                                                        SHA-256:90DC45426BC1302AA05261F136881DDF038272E9AC315297AA8E5DAE2B31109B
                                                                                                                                                                                                                                        SHA-512:6DDF615BCF0A8C62221233687BAE1EEDA5CFD749AA8ACC179D6650987289201B405EDD453FC181A1D250EBA9BBDF61EA28FB7C694539FAE3D320BFDEA56665CC
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.........!..e.....h."...i.3...j.?...k.N...l.Y...n.a...o.f...p.s...q.y...r.....s.....t.....v.....w.....y.....z.....|.....}...........................................!.....(.....).....*.....,.....=.....O.....c.....w...........|.................C...................................L.....e...........5.....n.................@.....o.................?.....p.................d.................6.......................i.......................s...........".....2.................y...........*.................7.............................d.......................A.......................5.......................B.......................7.......................'...............................................).......................>.............................g.......................8.....Y.....k...........C.......................d.......................U.....}.................K.....................................................3.....Y...........%.....U.....h................. .........................

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\sw.pak

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):466983
                                                                                                                                                                                                                                        Entropy (8bit):5.347321289295822
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:DYetNRoQ8cizJcrZ5DFCXRdPUNbQGRL8D5o8j2g7C5v3iZVqBce/Bruh2:0wNRoQszG5vX
                                                                                                                                                                                                                                        MD5:55241312A3AABA14A6B19A9012CA25B8
                                                                                                                                                                                                                                        SHA1:69FADF0817FAEC3BC6B018F0AF5F63378ADE0939
                                                                                                                                                                                                                                        SHA-256:722C86BD857A93AE06CA0B7CFE2CC04237A7ED5A52586CAB7246336C802ABE37
                                                                                                                                                                                                                                        SHA-512:612F815C25E9F593D1F1C4DE8E9016DCE048CFE90F21319C4CDBB5772580CB8C71229E9DDBA60852CD0BEC80A07A783ACE24F873D90DC3323E5FDCC44905F2C7
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........."p.e.n...h.v...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.$...|.*...}.<.....D.....I.....Q.....Y.....a.....h.....o.....v.....w.....x.....}.............................O.................4.................B.....T...........G.......................`.......................Q.....|.................6.....e.....s...........@.....t...........".......................o.................".....}.......................~.................+...........:.......................Z.......................+.....N.....W.......................#.................Q....._.................D.....V.................W.....b.................9.....F.................9.....B...........&.....l.................8.....d.................B.....s.................T................. .....|.................R.......................-.....z.................;.......................z...........O.....c...........E.........................................`...................................5.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\ta.pak

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1205916
                                                                                                                                                                                                                                        Entropy (8bit):4.040140087934281
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:tP3cOQSyU/FnX0m/5HqMh/Y56zxtRqcA25tm1vYpiMyk:5XX/5KWY56zscA25tm1vYpiMyk
                                                                                                                                                                                                                                        MD5:2C0A9CC4A7C775FF13A6888234265CAB
                                                                                                                                                                                                                                        SHA1:497BDE42737667FC833BBB9D8A9EDAF014D99957
                                                                                                                                                                                                                                        SHA-256:1DD55659EF21082B9D58BED50F387C0E1FC0F28D0EDE52251B9ADA25ED2A657F
                                                                                                                                                                                                                                        SHA-512:B862221CF17D3F2CA0495A8A3E1F630AB915FD9B2A46AC16C71DEFFEE9A6F71264A8550233781474D60CC6001A48C7C658C77D4E0DBD5B543E768928119D2F0F
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.........!..e.(...h.0...i.A...j.M...k.\...l.g...n.o...o.t...p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}...............................!.....(...../.....6.....7.....8.....=.....k.................:...........5...........$.....v...........`...........(...........Z.................%.............................O...........j.....L.........................................m...........u...................................;.....c...........7.................................................................8...........m.....I...................................9.....d.....n...........L.....C.....4.............................3 ....a ....Z!....J".....".....".....#.....$....Z%.....%.....&....:(.....)....Z)....U*....=+.....+.....+.....,.....-.....-....F....../.....0.....0.....1....E2....S3.....3....[4....35.....5....I6.....6.....7.....8....[9.....9....+;....><.....=....p=....\?....FA.....B.....B....DD....QE.....F....{F.....G.....I.....I....'J....+K.....L.....L.....L.....N....9O.....O

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\te.pak

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1115461
                                                                                                                                                                                                                                        Entropy (8bit):4.293134907326594
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:0xWx17McKN4Ceht/d49Hwb0orWp0Bi3p1FayNdiTlC2pegqNFOVLrOo54NwQvw9k:0Ge35HMjE
                                                                                                                                                                                                                                        MD5:5F9B7A945638B88E75A3175A7923119D
                                                                                                                                                                                                                                        SHA1:6AF614F2CBD72DA2224F48A203A6430A623FC7ED
                                                                                                                                                                                                                                        SHA-256:3B476D2CE7C72C3A10170808020DC3F1A87309F9F725B08217C4716B28D10888
                                                                                                                                                                                                                                        SHA-512:3B66C9152EC032D6F2372AE5075CBFE7D0FB398C4BF173A7F8C76D91D9EAA816E6F839B90884533B46A9224E9FB52C4D439B3D1907885B8E9F80C5C55A852B65
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........1"Y.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.!...t.*...v.?...w.L...y.R...z.a...|.g...}.y.............................................................................%.....b...........T.......................)...................................p.......................................................................c.............................K.......................8.....n.....b...........9.....u.....l...........?...............................................1.................!.....V...........D.............................4.....u.................@.......................".....i...........Z............ ....1!....."....w".....".....#.....$....,%....p%.....&.....'....\(.....(.....)....Q*.....*.....*.....+....S,.....,.....,.....-....:...........3/.....0.....1.....2.....2.....3....l4.....4.....5....T6....27.....7.....8....N9.....:.....:.....:.....<....J>....{?.....?....>A....OB.....C....zC.....D.....E....IF.....F.....G....hH.....H.....I....jJ....eK.....L

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\th.pak

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):940464
                                                                                                                                                                                                                                        Entropy (8bit):4.333123617146776
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:vn0UN9LyZYA1T7z1L/LpftQvsYnDROgv1V5UdZWLRffgstBjj8/qGvdw3lozG2IC:vn03ok5j5x
                                                                                                                                                                                                                                        MD5:84AD3F888C0EC307BB7B8C278CD36757
                                                                                                                                                                                                                                        SHA1:948A5F8B43D059280D5374CA6D66E8DFC6A76D49
                                                                                                                                                                                                                                        SHA-256:56665860FE6577FBE00543A47A15E10ECEAE83458815F2989D179E42AF07F81B
                                                                                                                                                                                                                                        SHA-512:7001C0607DF927145E40A605E2B97914D02712D11E09CA20339CB1AEFB042A1F853FD06E78B76F6DC6F19B6DF837BCA12946A3470C6C064CA767AF1DB57042E5
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........O!;.e.....h.....i.....j.....k.....l.....o.....p.....q.#...r./...s.@...t.I...v.^...w.k...y.q...z.....|.....}.....................................................................................7.............................n...........u...........v.............................Y...........m...........`.........................................T.....m...........K...........4.....+...........<...........[.......................u.......................}.....&...............................................U.......................`.......................J.......................R.......................r...............................................h.......................c...............................................@.................z...........E.....|.......................1.....Q.............................!.....X...........] ..... ....F!....|!....{".....".....#.....#.....$.....%....N&....o&.....'.....(....s).....).....*....~+.....+....*,.....,....v-.....-.....-.........../....T0

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\tr.pak

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):476860
                                                                                                                                                                                                                                        Entropy (8bit):5.622879660217315
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:FQ9HSLQl2q4qRv75az4lTxJXZvqcf4Sd9Ipksge7545/R+Ei1OCvdhAMTwiBK+66:F4SEl2q4qzaklVBhIpV545/g
                                                                                                                                                                                                                                        MD5:0AEDF5C2F6F4F49074A2ADEA454DF4C9
                                                                                                                                                                                                                                        SHA1:A48D9D8461E61170257897766DBD6906E754A0C3
                                                                                                                                                                                                                                        SHA-256:3F4658B3811B36F5CAD794E48E6507335ABFE78B0BFA0C80D1EF9C5D7BB410D0
                                                                                                                                                                                                                                        SHA-512:E359E446330FC154C16E34A7335174F372BCE701FAF85DE8A5F4B432CE3E10C69F42C93B7182DEAC89BB4D29750D0DD525B6DCD74A5B7BD724F544D14BA44A79
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........G"C.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.%...r.1...s.B...t.K...v.`...w.m...y.s...z.....|.....}...........................................................................................5...........X.................7.......................q...........,.....G.................C.....V.................&.....5.......................*.................,.....N...........A.......................f.......................].........................................].................-.......................3.................!.....2.......................,.......................;.................A.....R.................E.....R.................>.....J.................C.....P...........U.................'.......................(.....u.......................\.......................}.................9....................... .....y.................8.............................6.................N.............................4.....z.................Z.......................x.......

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\uk.pak

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):817430
                                                                                                                                                                                                                                        Entropy (8bit):4.86581943160599
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:LVaMf4WifCrn2RIxnaLIN0ZCViZIJ7I5SB3IjzAJmEIl5ujLNiXElqb1EfC:Ld1i6rxI95bE2
                                                                                                                                                                                                                                        MD5:64AA9344ABD9A32F10D6C05A58EDA4EB
                                                                                                                                                                                                                                        SHA1:3286EE43F36E2232677B4573E8B4A3303C7DF048
                                                                                                                                                                                                                                        SHA-256:CA20AF5982AE706F5029467901D7D66F90B261F03C7D240D0D1AB2FCA2B50A7B
                                                                                                                                                                                                                                        SHA-512:DD768B314DA50B8BA5A006A4E56D70044C1AF79960834722894D930F5347194AE7F9F5697BC4CD0790A79341635CB1DF8C74FF45F74D1736049161AF5B163EFB
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.........!..e.....h.....i.....j.....k.....l.....n.....o.$...p.1...q.7...r.C...s.T...t.]...v.r...w.....y.....z.....|.....}...............................................................................#.....M...........s.....6......................./.......................=.......................X.......................*.................H...........4.....I.......................*.................Y...........G...........A.....g.......................$......................./.................j...........2...................................J.....k...........j.................z...........x...........4.................)...........:.................,.............................$.....n.................R......................./.....s.................k.................g.............................J...........9...........:.....n...........B.................3.......................<...................................m...........7...........v ..... ..... ....w!.....!....3"....P"....$#.....#....@$

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\ur.pak

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):713246
                                                                                                                                                                                                                                        Entropy (8bit):5.136901438119978
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:5xU+Nw5U8PoF8xxyWJM5T5BZPEFYWmumwQYrSwadcJKwUzu8co/9NjjFpvTg:5xP955DW3
                                                                                                                                                                                                                                        MD5:88EEF2798DEE8A361C3EA9BAFAA02A35
                                                                                                                                                                                                                                        SHA1:6F8D4CE422336CA5048EF35D6ECE360A9B416D8A
                                                                                                                                                                                                                                        SHA-256:91318006C880E427417A2B2FFF81FD451769A5536FA16D1DC185972137BC2D6A
                                                                                                                                                                                                                                        SHA-512:DB36B58186F165FF3F746AC483F75B6FED596FAD9B3F335E86B374B359E563407ACF58AC7CDED9420E4FCB91F31EEBC8A91C7777EA59BAFCED8CFF2F1C0E9A53
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........."z.e.Z...h.b...i.j...j.v...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.%.....-.....2.....:.....B.....J.....Q.....X....._.....`.....a.....f.....~.............................p........... .........................................+.....`.......................>...........I.................L.................;...........G.............................}...........^...........N.....m.........................................;.....g.....E.......................@...................................:.....\...........E.................=................./...........N.................P.................3.........../.....{.........................................u.......................,.....r...........".......................k...........+.....L.......................N...........O.................[...........6.....\.................(.....Y.....)...........`...........h.............................5................._.................H...........| .....

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\vi.pak

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):564786
                                                                                                                                                                                                                                        Entropy (8bit):5.797828508773141
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:KwEm5WJNuE+ciwJFrAsUaBScxgsHlZ0JdHqRPzaM508ETCoFAi1PzisTm7oA:TAJoE+ciwJFgaTxgsHf0J4P508uCri1c
                                                                                                                                                                                                                                        MD5:4C5C09CB7E6EB120C8019FE94E1AC716
                                                                                                                                                                                                                                        SHA1:F018E7F095605E21DB24944B828CC3580CBA863F
                                                                                                                                                                                                                                        SHA-256:E7319CA18EBA379772954132493BBABB448D4E97D755B85360ED337216B48800
                                                                                                                                                                                                                                        SHA-512:D171EE83CF02A8904290A74DF1224556887E41333B8A01FBD95F0CACC88D230195FBFB6F99F9E02573D4864B3C95B570A77C2A0B1E19324D2599925E40684807
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.........!..e.....h.....i.....j.....k.....l.....n.....o.....p. ...q.&...r.2...s.C...t.L...v.a...w.n...y.t...z.....|.....}.....................................................................................$.....C.......................5...........I.................c...........W.....}...........~.................>.......................3...................................O...........A...........S...............................................G.....^...................................\.................`.......................z.................%.................A.....R...........P........................................./.......................D.......................W.............................b.................g.................2.................1...........(.....^.....~.....'...........#.....r...........V.................;...................................W.....~.....!...........7.....K.......................H...........1.....f.................R.................7.................@.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\zh-CN.pak

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):408159
                                                                                                                                                                                                                                        Entropy (8bit):6.667080735281946
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:iDL1fUjJVNmz7+anG7a5DnyykkFS5C4TNpI3DaNllf:sGJV4zia/5Dny2S5jTNpI3DY
                                                                                                                                                                                                                                        MD5:07B6C43D87DBF93AC8ABE6837F3C2103
                                                                                                                                                                                                                                        SHA1:79E033179B445609B3F1756C3F4184D5EFACF1C2
                                                                                                                                                                                                                                        SHA-256:7F85B35938FADCA91BFD8F92CA53613718E375EF010C340947DD27A4FF66594C
                                                                                                                                                                                                                                        SHA-512:38EF8F8A8A950B11C18EB7A40DA721B888EF792A49E1371DC8C1EB22058A6791F95BF9B25DF4BA190A7AA6CB62CE38B0BFAEA83C71B62CDE6980D12CF9DA53F9
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.........!..e.h...h.p...i.x...j.{...k.....l.....m.....o.....p.....q.....r.....s.....t.....v.....w.....|.....}...................%.....-.....<.....A.....I.....P.....W.....Y.....^.....g.....s.........................................E.......................C.......................N.......................R.......................*.....w.......................X.....~.................s.................%.............................h.......................T.......................j.......................I.....c.....}.................6.....B.............................i.......................q.......................Q.......................6.............................`.......................{.................".....k.......................G.....l.................:.....^.....p.................Q.....q.......................&...............................................1.................b.....t...........@.....x.................=.....c.....r.................#.....3.......................%.......

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\zh-TW.pak

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):404179
                                                                                                                                                                                                                                        Entropy (8bit):6.680398224941187
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:SpyK3dSRMig8KJ392h2Du0AhVF5a5nzICFG0yn/9yYTo:k2dgpfAhVF5a5nzjqn/e
                                                                                                                                                                                                                                        MD5:960E99A171C4ED4B6D787027BA88774D
                                                                                                                                                                                                                                        SHA1:E3869AFF0C52841C9DF718133E7C4BE2977DE7FB
                                                                                                                                                                                                                                        SHA-256:E42640F5309ADD2EA7FD5A4DB503B93E479EF14807710A06D7E53A0F261DA8E6
                                                                                                                                                                                                                                        SHA-512:4E51D787AFF8F425D101882BD70E71B88B253F2CA61ED54DD7FF77C7E3A1D6570B270F4EB91F2D03869EA4537D09E141F3E32EA3A27537295EC698BF26305CBF
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........t!..e."...h.*...i.;...j.?...k.N...l.Y...n.a...o.f...p.n...q.t...r.....s.....t.....v.....w.....y.....z.....|.....}.......................................................".....+.....7.....F.....U...........E.......................=.....f.....r...........2.....d.....v.........../....._.....t.................E.....Q.............................y.......................m.......................e.......................M.......................<.......................R.......................X.............................V.....v.................!.....D.....S.................$.....0.............................f.......................N.......................&.....{.......................x.......................S.....m.......................3.......................).......................*.....p.......................+.....z.......................b.........................................Z.......................l.......................6.....w.......................C.....j.....|...........5.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources.pak

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):5409591
                                                                                                                                                                                                                                        Entropy (8bit):7.995554964553005
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:98304:SUUxSt0AoqmWPV95jG1p60RCPNSIh1SUeCQ29GrwrJ9ctYXiQxSlzY7G/bh4sWrr:SUUktgqdd95jghUV/hQUeCN8krJ9YY+A
                                                                                                                                                                                                                                        MD5:2694D3CA546E9BA8B37201741D1B8FFA
                                                                                                                                                                                                                                        SHA1:322EE81DB1036EBA84D8991BFCB2E6D829B9D632
                                                                                                                                                                                                                                        SHA-256:F66BA8D1C1ACD35F244965433D5CFEB1D0FB3B81AFC630F131AD9C9E288D03E0
                                                                                                                                                                                                                                        SHA-512:4D555C61040D48CC8E2237867885A0651CFB4166FEB0F18E4A442540E1C1123571B1298125507D98B4C833717A9E4D732C8C6B2C487009C639BC3447740CE60A
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........"...f.....{.X)..|.,,..~../....;B....aD.....E.....O....q...........5...................................f...........A.....a.....?..........<.....<.....<.....<O....<~....<.....<.....<.....<.....<L1...<B8...<M<...<.<..P=.<..Q=.@..R=.B..Y=BG..Z="K..[=.T..\=ec..c=...d=t...e=....f=...g=#...h=....i=....j=%...k=....m=[...n=.....=.....=....=.....=.....=.....=.....=.....= ....=.....=.....Dl....D.....D;....D.....D.....D.....Dq....D.....D~!...Du-...D58...D.I...D.[..pI.l..qI.y..rI....sI:...tI ...uI...vI...wI....xI=...yIi...zI....VJB...WJ....ZZQ...[Z*...\Z....]Z....^Z...._Zs...`Z. ..aZx#..bZ.'..cZ.(..dZ.*..eZ.,...ZV;...Z.A...Z.F...Z.G...Z.K...Z*_...Z.g...Z.j...Zmm...Z~v...Z.{...Z9....Z1....Z.....[.....[.....[w....[.....[.....[(....[.....[f....[.....[.....[7....[.|...[A...~.........................<...........<.....-...............................................N.....6......................................... ...........$.....Y................_...........w............................

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1262
                                                                                                                                                                                                                                        Entropy (8bit):5.412279038895346
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:v/WFGWvVB/yvVlx1RnQnkfP4RRg5RuBRGHC:v/WkUVB/QVDQkfgR65RKR7
                                                                                                                                                                                                                                        MD5:5B34CDA07F9DB2DCD583C98C2A357C9A
                                                                                                                                                                                                                                        SHA1:75116E9EB0BD4D967E4E1409E8CA321DF74AB658
                                                                                                                                                                                                                                        SHA-256:E20A734E0B2CA43293B87CFA8F31AB43EAF99A89F90482502492546D7E34141D
                                                                                                                                                                                                                                        SHA-512:C4E5D699A10219FE649D848CD60547D73089EF007F38BB905947068792C3E76D1A173B274ED69CD43C85A7B6F10B90BBFDD426EC63E24741F799619EE94CA450
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................{"files":{"main.js":{"size":689,"offset":"0","integrity":{"algorithm":"SHA256","hash":"692b0b0bb4388cc72d7fbebd13608c779fd28ed6792ac38db8fdaae3e55391e9","blockSize":4194304,"blocks":["692b0b0bb4388cc72d7fbebd13608c779fd28ed6792ac38db8fdaae3e55391e9"]}},"package.json":{"size":53,"offset":"689","integrity":{"algorithm":"SHA256","hash":"d3565de5ec307c1dcc57fc9550976e67bac071eab7970673f63b6a6ccca24baf","blockSize":4194304,"blocks":["d3565de5ec307c1dcc57fc9550976e67bac071eab7970673f63b6a6ccca24baf"]}}}}...const path = require('path');..const Module = require('module');..const { app } = require('electron');....// Parse command line options...const argv = process.argv.slice(1);....let file = "";..for (const arg of argv) {.. if (arg.match(/^--app=/)) {.. file = arg.split('=')[1];.. break;.. } else {.. file = arg;.. break;.. }..}....function loadApplicationPackage (packagePath) {.. try {.. // Override app name and version... packagePath = path.resolve(packa

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar.sig

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (684)
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):685
                                                                                                                                                                                                                                        Entropy (8bit):5.947506019169076
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:xjRe3mjT7X7ovJZ46imOX6oDdHJ62RgjFklzBLpHUDyY7PdKfFlbln:xjI3mjf76o6imQtDZ+xwR+pKdlRn
                                                                                                                                                                                                                                        MD5:2F8397E50536FB945500F7242D9EEACF
                                                                                                                                                                                                                                        SHA1:C18EE272D0ED2269844BE4DF93BF4E26028944DF
                                                                                                                                                                                                                                        SHA-256:83840B400EF2A00E9CBB6299DEA20DFCC0DFD9689D382169C0301D89B51A8E88
                                                                                                                                                                                                                                        SHA-512:F6B48EDB8E608837BE9ACB40AB3CC56C5A5668716B960EC31946CFBBC80BB7E4E7F118BC3041AADE76D0F8B2D28D7C1CCA4DE26E48BBCFE86326A124172F262B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:En79ab3KpCJVSQy9cdi2nTsRH+OuEiF7lzGxoXVPNNIqUu6PWra5wK1BuQM7/8aM1zLhamhr6eeUxeMkzZv1rdXlI5k4ykt3eddiJTFwAQ+J1AkkwquVDaeWMQU9GKkIcAkNzPr7v93z+tMd/hhY5ekNQMczHuaZkjXTezXd/sZ41F5RWNsBnC1Xky7YQ7OLj0GdwKTKpJHeInkHTn/pz/NKuHB7s9q2FCU/WPUb3lgQDuz9d969vJjqscG46iuRLcBxLV6IKgayw+kOzlTR6ZJM3FCM5KGVaDD+4vIF5qO/ZQEqx7//nlcigPTBiMIoC050mRz9rNYl7oVVFB7CP2cna+5dlACsc7s/3jPX971ofpTRV7ZmXwAXE+VAQX+FO3/4p3Esn1GjtQTX+WeE/7v/FMvMCnZ5t/2RbhAUkaPhleVYwhUEfEY0tFT88zh6jmNSjrTtMl3IrLMnIkVdY5s4FMlP6ZB859FdvGhfAazqpQZsbvb5rZf3WVfKd5cZ6fZ2V2X0qW1cL7rSkB1zMVEcvyJirWuUiSx3/IFtcMWTubq8amswGNTRYyVxQoEEof+ekQNysuOoGEpEGkX6oETY88FSOYZxBZGBAgBp8MGY0Gew7CWnQja3QxeuPTpx+9tS9Y0saAcwUS3yToOWCUUPSftY0XOpfoiVPeOjolM=.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):166021264
                                                                                                                                                                                                                                        Entropy (8bit):6.737540703169629
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1572864:I69T1tvks4hW81ZG8M1wDxA2td8ql5kMyIjPmreeatjGqyoWdy9l28+6ChQphDKp:W6Y/U84
                                                                                                                                                                                                                                        MD5:EECF7A555E3BBE3C95008DADE51C9322
                                                                                                                                                                                                                                        SHA1:9AF0F383838125D1B50455325CEFEB784F673140
                                                                                                                                                                                                                                        SHA-256:2AF8C0E0F20B19D2845DD823D0353B338A84EEFDC4E0186131FDDB0680152772
                                                                                                                                                                                                                                        SHA-512:B5BD8AB13FC9A2AA0EB51148BCC06982C787727ED5F3CA0CD7B288E1AD15E538AD18C12F39E32431DE09389CF620D0E9CB7090A039D018455915F0ED3D46B73C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d.....ce.........."...................,........@..............................!......I....`.............................................i6..$...T.......|}.......<B......:...0...v...Ux......................Px.(.......@..............H....8..`....................text...)........................... ..`.rdata..."s......$s.................@..@.data....mD......n.................@....pdata...<B......>B..b..............@..@.00cfg..0...........................@..@.gxfg...@B.......D..................@..@.retplne..... ...........................rodata......0...................... ..`.tls.........P......................@...CPADinfo8....`......................@...LZMADEC......p...................... ..`_RDATA..\...........................@..@malloc_h............................ ..`.rsrc...|}.......~..................@..@.reloc...v...0...x..................@..B................

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\snapshot_blob.bin

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):268732
                                                                                                                                                                                                                                        Entropy (8bit):4.129712207392431
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:rbr3R2ER50fFjzgZ911bECxLyuUR27gLz3jzOXSO2xQJjKbCP:rP3R2E0fFCFbECxe527gvk
                                                                                                                                                                                                                                        MD5:40A3C2200E4126E8C47A7802532C9236
                                                                                                                                                                                                                                        SHA1:212A4686DEA5A467B7B6FA54397E42122B235F1E
                                                                                                                                                                                                                                        SHA-256:94AA518FC892EE9A0F1EB5FE35B60123EE61A5F848864B00519B96D8D5D9786D
                                                                                                                                                                                                                                        SHA-512:FA1A943822ABE3737587D520654078117CAE86C58FEFE6DD6A09F4A08C09293E9547A0AD79C52F8638DFBB1C496DF3D0E828CE414176C8FBB77113BE41212866
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.........J|j11.6.189.22-electron.0...............................................c...z......X...a........a........a........ar.......a........a..............m.D.-.....q....`$.......y.D.1.....e....`$.......D.5.....q....`$.........D.9.....q....`$.........D.=.....q....`$.......Y.D.A.....q....`$.......D.E.....q....`$.......D.I.....q....`$.......}.D.M.....i....`$.......D.Q.....q....`$......ID.U.....q....`$.......D.Y.....q....`$.......D.].....q....`$....(Jb...(L.....@..F^.!..%.`.....(Jb...,P.....@..F^..`.....H...IDa........Db............D`.......D`.....D]D....D`......WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa............L...................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\v8_context_snapshot.bin

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):595812
                                                                                                                                                                                                                                        Entropy (8bit):5.22268730962
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:6TY0P3R2EpdCFbECxUg8zifcarDJI2GZaGKtQPd9ZVetBRkPjBgnYAz7E:m5itRHtQfVEP7E
                                                                                                                                                                                                                                        MD5:264E3B574E4F86B1FC47B2427402E779
                                                                                                                                                                                                                                        SHA1:4A4F9E7C3DA262713E4CF7AF6AC51822C56B5EF3
                                                                                                                                                                                                                                        SHA-256:ED559C6E81B6003B2057E5C1B0BDB5B28CA094B895CA86C69FE11C5C9E014F06
                                                                                                                                                                                                                                        SHA-512:144365D0FB83576AAA02EA6ECEA51D7BA2CACB044EEA568A08F65B98A83D3E7D7E693738E065E22F94BFD1165D0EA93A749DD1325D829257A9BB6607A9A927DB
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...........11.6.189.22-electron.0..........................................(...tY......................a........a........aT.......ar.......a........a..............m.D.-.....q....`$.......y.D.1.....e....`$.......D.5.....q....`$.........D.9.....q....`$.........D.=.....q....`$.......Y.D.A.....q....`$.......D.E.....q....`$.......D.I.....q....`$.......}.D.M.....i....`$.......D.Q.....q....`$......ID.U.....q....`$.......D.Y.....q....`$.......D.].....q....`$....(Jb...(L.....@..F^.!..%.`.....(Jb...,P.....@..F^..`.....H...IDa........Db............D`.......D`.....D]D....D`......WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa............L...........................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\version

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):6
                                                                                                                                                                                                                                        Entropy (8bit):1.9182958340544896
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:XTLUn:En
                                                                                                                                                                                                                                        MD5:AE2106EA876113FD0B975AEDEBAD2F89
                                                                                                                                                                                                                                        SHA1:ADDBF88EEA9506928B8F4665D8103F4AA9FBD070
                                                                                                                                                                                                                                        SHA-256:E21F1B660AA2C8675DBC6486B0D9CCB5EC9CBB988098E9905E2B49B8C1DC94F8
                                                                                                                                                                                                                                        SHA-512:37CD1E08432469D75F4CA939D5B57ED3AFBB4232395D6BE9C6B49652EABA6C4BA8006DA16CE9E988A99E61C7B54BDDE36A375F84A464D9D3D14C105A2385E94A
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:26.6.1

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\vk_swiftshader.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):5142528
                                                                                                                                                                                                                                        Entropy (8bit):6.355922756005317
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:J6PkZFjyeDTIEvAvlo6coVQxa8sVr06l1Z+MuXy55KfD5KNt7wpr30sN+05uQKYY:JNZFjYgpOz0ueCCA2EmgCvGRKw
                                                                                                                                                                                                                                        MD5:B7A271574FE36F3134D72FB86DECCA02
                                                                                                                                                                                                                                        SHA1:9C9B26F2C137D0439B938F6D2ED80F830F7D0F2E
                                                                                                                                                                                                                                        SHA-256:DA25A529E78CA6068CB84DAD50E43B054357C887DF434A0E083B266279CC16A0
                                                                                                                                                                                                                                        SHA-512:E45AA72D82883E51CD3C6DFF02C4B2CFEC063B82D53C4620963C80C406302DE8EA5F723DDAF4E084BBCEE2678413150654FA5B979F5035A8870BBF1802CFC14C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d.....ce.........." ......=.........0P6.......................................O.....+.N...`A..........................................I.~...>.I.P....0O......PM..d...:N..>...@O..}...LI......................KI.(...@.=.@............I.P............................text...O.=.......=................. ..`.rdata..4.....=.......=.............@..@.data...P.....J.......J.............@....pdata...d...PM..f....L.............@..@.00cfg..8.....N.......M.............@..@.gxfg....,....N.......M.............@..@.retplne......O.......M..................tls....Y.....O.......M.............@..._RDATA..\.... O.......M.............@..@.rsrc........0O.......M.............@..@.reloc...}...@O..~....M.............@..B................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\vk_swiftshader_icd.json

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):106
                                                                                                                                                                                                                                        Entropy (8bit):4.724752649036734
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:YD96WyV18tzsmyXLVi1rTVWSCwW2TJHzeZ18rY:Y8WyV18tAZLVmCwXFiZ18rY
                                                                                                                                                                                                                                        MD5:8642DD3A87E2DE6E991FAE08458E302B
                                                                                                                                                                                                                                        SHA1:9C06735C31CEC00600FD763A92F8112D085BD12A
                                                                                                                                                                                                                                        SHA-256:32D83FF113FEF532A9F97E0D2831F8656628AB1C99E9060F0332B1532839AFD9
                                                                                                                                                                                                                                        SHA-512:F5D37D1B45B006161E4CEFEEBBA1E33AF879A3A51D16EE3FF8C3968C0C36BBAFAE379BF9124C13310B77774C9CBB4FA53114E83F5B48B5314132736E5BB4496F
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:{"file_format_version": "1.0.0", "ICD": {"library_path": ".\\vk_swiftshader.dll", "api_version": "1.0.5"}}

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\Client\v1.4.2\vulkan-1.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):955392
                                                                                                                                                                                                                                        Entropy (8bit):6.604758673715379
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:QA9nIy2rMjWPvnaFUNUQp466Z5WoDYsHs6g3P0zAk7Rjnl:Nt2Yj0n7NU766Z5WoDYsHs6g3P0zAk7n
                                                                                                                                                                                                                                        MD5:813EEB7306256D152733E03274364DD4
                                                                                                                                                                                                                                        SHA1:FE23BE85A45D060F05B5CB4F05D9DD2642AAE1E6
                                                                                                                                                                                                                                        SHA-256:DC51D2BE2E03AB812A3CBE11824B7B79F627C0D7C4608E91C0D9095AE92BB693
                                                                                                                                                                                                                                        SHA-512:CCE9CC47ECB51F8F55BFC4F86F849FDAC8A642997C2CFC1F310676C7C1014F7BB814A364630BF528CDB489E0D93654631A908C44181BF22B5BD5A60D5118764C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d.....ce.........." ................................................................g.....`A........................................0...<!..l...P...............Lq...V...>......T...............................(...@...@............................................text...V........................... ..`.rdata..4...........................@..@.data....M....... ..................@....pdata..Lq.......r..................@..@.00cfg..8....`......................@..@.gxfg...P(...p...*..................@..@.retplne.............>...................tls.................@..............@..._RDATA..\............B..............@..@.rsrc................D..............@..@.reloc..T............H..............@..B................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):817096
                                                                                                                                                                                                                                        Entropy (8bit):6.484394172394775
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:1kaJoYf9Z+uUMidkp22We0cRxoJy5DPbTtsqq5dlgM7qcNmP1bGq06ZIEUKth1O7:/Jll87GY2q61llaOZBjKt5qquO
                                                                                                                                                                                                                                        MD5:DED746A9D2D7B7AFCB3ABE1A24DD3163
                                                                                                                                                                                                                                        SHA1:A074C9E981491FF566CD45B912E743BD1266C4AE
                                                                                                                                                                                                                                        SHA-256:C113072678D5FA03B02D750A5911848AB0E247C4B28CF7B152A858C4B24901B3
                                                                                                                                                                                                                                        SHA-512:2C273BF79988DF13F9DA4019F8071CF3B4480ECD814D3DF44B83958F52F49BB668DD2F568293C29EF3545018FEA15C9D5902EF88E0ECFEBAF60458333FCAA91B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......lC. ("rs("rs("rscZqr""rscZwr."rscZvr;"rszWvr8"rszWqr""rszWwrv"rscZtr)"rscZsr?"rs("ss."rs.W{r "rs.W.s)"rs(".s)"rs.Wpr)"rsRich("rs........................PE..d...x6.d.........."......\...........(.........@....................................NX....`.................................................T........`..p.......xW..."...U...p..........p...............................8............p...............................text....Z.......\.................. ..`.rdata...'...p...(...`..............@..@.data....F.......*..................@....pdata..xW.......X..................@..@_RDATA.......P......................@..@.rsrc...p....`......................@..@.reloc.......p......................@..B................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\ARM64\KernelTraceControl.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) Aarch64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):265624
                                                                                                                                                                                                                                        Entropy (8bit):6.2265755227996005
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:VJxCYKhMXJw5eSpmpi4F1Lvvt+S/77gQQgfUFOlkBsTdUM3J/qyPUQrmqMlw2aH:VJxJK/dpOfr37g1QOe5qWlr0lwL
                                                                                                                                                                                                                                        MD5:06415045769D2CC45DCB02764BCF4117
                                                                                                                                                                                                                                        SHA1:D2A851EA7AFEE47AD2C49E882EC212526B08B30D
                                                                                                                                                                                                                                        SHA-256:D21B0C5F08AA82826F96FD8EFE41BE45BA5C06A8E1286097C3BB8230F4CAAD1D
                                                                                                                                                                                                                                        SHA-512:020C70FA487A1A48B29A4DC74BC5D3601BC25F647CE49298CAC58DE95EE110F395C2575D1DCCE88FB2445FB2F509A648A331C469D84D653E6401ED2C5956AEE5
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......E.lO.......................H...................................................................Rich............................PE..d...Bz^..........." ......................................................... ............`A........................................@...................x................=...........(..T...............................8....................}..@....................text............................... ..`.rdata..............................@..@.data...`'..........................@....pdata..............................@..@.didat..@...........................@....rsrc...x...........................@..@.reloc..............................@..B................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\ARM64\msdia140.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) Aarch64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3490704
                                                                                                                                                                                                                                        Entropy (8bit):6.3261499459457315
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:iF+5PLDsbg5+e9VvR/hzH01zzEbMx+5vqDLBOmUAmPNb63oJmoJS9MeK3XqRL:PDPfpz24ME5nbqogp9T
                                                                                                                                                                                                                                        MD5:E71782807AA416A823D6ACC5C2596BDA
                                                                                                                                                                                                                                        SHA1:17B35F7927A608BF90403CACA4F6C15B26F65CD1
                                                                                                                                                                                                                                        SHA-256:AA048FC367FDF65B122758CB92BB4E61A8F5A701CC73C508627A12F5F07701E0
                                                                                                                                                                                                                                        SHA-512:58D0313A7B245179EB90171924A815B003E171773AD187DFF834726B33613949EC3039B8C51CA3DED0AC2DAC9D838B9EE148267A71961E3684B635BB9B596445
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......... ^..N...N...N...M...N...J...N...K...N...J...N...M...N...K...N...O...N...O...N...F...N...N...N......N...L...N.Rich..N.........PE..d...@TA..........." ...$..*.........P.........................................6.......5...`A........................................@.1.....<.1.(....@4.X....03.0.....5..=...`5.....()0.T....................*0.(....,.@.............*.......1......................hexpthkp........................... ..`.text.....*.. ....*................. ..`.rdata...c....*..d....*.............@..@.data...$.... 2..r....1.............@....pdata..l....03......`2.............@..@.didat..`.... 4......N3.............@....a64xrm.@....04......P3.............@..@.rsrc...X....@4......R3.............@..@.reloc.......`5......n4.............@..B........................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\ARM64\rsYara-ARM64.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) Aarch64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1768344
                                                                                                                                                                                                                                        Entropy (8bit):6.607929750938165
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:dFh+6066jUNguhPGJQAJQfxilwTebiPcFv:fgEaUNguhPGJQAJQUldbiPcF
                                                                                                                                                                                                                                        MD5:67FF94AD19329A26768566465EE27928
                                                                                                                                                                                                                                        SHA1:20804E2A10F4DD57A3B797FCF495704EDE14BFF2
                                                                                                                                                                                                                                        SHA-256:ADD78951CB993F5F4F9CAD8648E9EE7973796EDEC3E09CC80D1B76D8CCBD54FB
                                                                                                                                                                                                                                        SHA-512:B92C5E099292C3881E255CBF1269A58C666490AB3BBA98EDD943A92415CD88F891CD45838996EC8B2A3DDD4A7B0E4B410C2EB675729C93CFD22AC93422760571
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$.......,%._hD..hD..hD..#<..jD..#<...D..#<..~D..hD..iD..n.h.iD..n..wD..n..|D..n..fD..hD...D..#<..cD.....lF.....ID.....iD.....iD....j.iD..hD..iD.....iD..RichhD..........................PE..d.....e.........." ...&.t..........h........................................P.......]....`......................................... ...t.......x.......X....`..0x.......=.......R......................................@...............h............................text....r.......t.................. ..`.rdata..~C.......D...x..............@..@.data....r..........................@....pdata..0x...`...z..................@..@.rsrc...X............d..............@..@.reloc...R.......T...j..............@..B........................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\BouncyCastle.Crypto.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2624912
                                                                                                                                                                                                                                        Entropy (8bit):5.839907007104222
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:7SSJ+G1PjodumkjD6Oc0mqHZwueCtbu9kQN1:Dxodumo6LrF
                                                                                                                                                                                                                                        MD5:5169BDDD91F96CF08414096116F15C35
                                                                                                                                                                                                                                        SHA1:A6FA6524694B6EDB0550EF03844BD9777957EA52
                                                                                                                                                                                                                                        SHA-256:1123F80B4BB19119AA7D2E0E4085C985643C72837667B480D5687FD328BCB720
                                                                                                                                                                                                                                        SHA-512:575937F0AE6FD067271F52E3976B5687AFC834B18C65B7FCBBAED40EF432194B3FAD47233711E3B2F9A6984A31BFB8C494C86E3FF5A04220046E547B74657FDA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...,.._...........!......'.. ........'.. ....'...@.. ........................(......{(.....................................d.'.W.....'.`.............'..=....'...................................................... ............... ..H............text....'.. ....'................. ..`.rsrc...`.....'.......'.............@..@.reloc........'.......'.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\Dia2Lib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):58768
                                                                                                                                                                                                                                        Entropy (8bit):6.464376355624035
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:3QMT4Q3O9ymyKJcy3Xs3y4rV50sds8SzUwHhiXuKrLy2Ip4Fqxf1ml67F9O:cQCye14oGs8SNhiXd/96fIwFQ
                                                                                                                                                                                                                                        MD5:54C91A9E8206C655E4CBAB458BE5DAF1
                                                                                                                                                                                                                                        SHA1:C776084FE9BC961ADC3CC9865712B76EC4181A20
                                                                                                                                                                                                                                        SHA-256:88FFE5BEF612C1AE1E62E7AF17B3CEA63093FA18C44C228BB37CFB5DEC0BE394
                                                                                                                                                                                                                                        SHA-512:74FB7EEFE55308A26E8ECF586636124EF1F018C0C3156B2002396C232E7FD6FC4753A45CC4956DDC2B99A25E8D4544DF68D9EA9A902022906E7F98AA505C22AC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...J.NZ...........!..................... ........@.. ...............................x....@.................................P...K........................=........................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........ ......................P .......................................*..E...$....8..5>I....zc.9.]hOy......=.....jz.......cxR.Be.mZ...............8.K......o.(...i...3.%.....PO.F...Jq...DBSJB............v4.0.30319......l....Q..#~..,R..d6..#Strings............#US.........#GUID...........#Blob...........W.........%3............*.......................q...w...#...........$...'.................{.........).....G.....U.....r.............................................

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\EDR\Dia2Lib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):58768
                                                                                                                                                                                                                                        Entropy (8bit):6.464070564817784
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:1QMT4Q3O9ymyKJcy3Xs3y4rV50sds8SzUwHhiXuKrLy2Ip4kqxf1ml67h9e:2QCye14oGs8SNhiXd/91fIwhg
                                                                                                                                                                                                                                        MD5:FE191BF3E902335C42A4E7766392E781
                                                                                                                                                                                                                                        SHA1:55B172B7FCD2E02A2305156829E93DF1DBD4B680
                                                                                                                                                                                                                                        SHA-256:ED4E58E9E76DC6B6452421946C398EC1FAD90AEE080823513290135D6E7EAB01
                                                                                                                                                                                                                                        SHA-512:185841997559F59A5848D4D3A002B91CC96C4431A80B2B58F218A7B0738E17586BCA7231CD5010C2968F8F1FB476AFE45A907A0B3E2BE07A53F3F83401EBDD87
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...J.NZ...........!..................... ........@.. ..............................J.....@.................................P...K........................=........................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........ ......................P .......................................*..E...$....8..5>I....zc.9.]hOy......=.....jz.......cxR.Be.mZ...............8.K......o.(...i...3.%.....PO.F...Jq...DBSJB............v4.0.30319......l....Q..#~..,R..d6..#Strings............#US.........#GUID...........#Blob...........W.........%3............*.......................q...w...#...........$...'.................{.........).....G.....U.....r.............................................

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\EDR\Microsoft.Diagnostics.FastSerialization.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):80280
                                                                                                                                                                                                                                        Entropy (8bit):6.231429594264122
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:nG8N6w60T7kWU8EDk26WxvrkJAsSVQ11XVBuBQkkXd/9TfInfj:nGY6w60T7kWU8EY26WhAAbQ11XVBlk7
                                                                                                                                                                                                                                        MD5:F5BEE32D158A4FC2DE7C102C345C38B4
                                                                                                                                                                                                                                        SHA1:7F4CDA5980584C0BC2E61D95527F0861433560D9
                                                                                                                                                                                                                                        SHA-256:D12C0375651F11B8939784625EAB866ABC9DDB3B96EA9DB822B623FC9D546B38
                                                                                                                                                                                                                                        SHA-512:6B01741B4316397C35F36B452781B1D8052F4F6F267BA4C1BE1036C780173C35190F36973E45F885C89C45C62D07E95921771A7163BD660C8C7D69D0F3A1AD25
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....i..........." ..0.................. ... ....... .......................`......Qd....`.................................e...O.... ...................=...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H........~..P...................8........................................0..(........._,..l(2...i...+...]-..*..X...1..*....*.0..S........./.r...ps3...z~.......+.......2..*..X....i2...`.+..(....,...Y.e],..*..X.. ....2..*..0..!.........Z.. ....6. .....1. ....*.(....*&.j.n\.jX*..0............nZ. d.jX.nZ. dm..*b.H.E...%.x...(4........*....0........................,..-..s5...z*Zri..p......(6...s7...zBr...p~z...(....z6.......(....z"..s8...*^r...p..(9...r...ps:...*:.(;.....}<...*:.{

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\EDR\Microsoft.Diagnostics.Tracing.TraceEvent.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3073424
                                                                                                                                                                                                                                        Entropy (8bit):5.981494182286308
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:zGPhcAzmc+AzxpCqu6xX/mazyzDS/B6nEL8Esb2X+ThBtQvxqyfMzrvrBrVJn:sWOmczVpCkvmzzDC6nKsbSMQZqy81
                                                                                                                                                                                                                                        MD5:94263F6311401ED3EA8073604C31E1B9
                                                                                                                                                                                                                                        SHA1:5CC9F4D57A13C4562F5D0E56B283C903A729E340
                                                                                                                                                                                                                                        SHA-256:D079AF686366EA997B5CAE8DBCE90509CBF2D9F078DF84B1313C4A25C2C6CC21
                                                                                                                                                                                                                                        SHA-512:CDDEE54F4361BFE96321FC099CA153246395264BBDC91E856EEBA7F8E875216F1C5BC4F499A95BFB78B2429B2A6F10F7804256CD9153B927837F0318236CDACB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... ......................../.....&./...`.....................................O........................=..............8............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......L...L.............................................................{[...*..{\...*V.(].....}[.....}\...*...0..A........u........4.,/(^....{[....{[...o_...,.(`....{\....{\...oa...*.*.*. ... )UU.Z(^....{[...ob...X )UU.Z(`....{\...oc...X*...0..b........r...p......%..{[......%q.........-.&.+.......od....%..{\......%q.........-.&.+.......od....(e...*..{f...*..{g...*V.(].....}f.....}g...*.0..A........u........4.,/(^....{f....{f...o_...,.(`....{g....{g...oa...*.*.*. B.8' )UU.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\EDR\OSExtensions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32144
                                                                                                                                                                                                                                        Entropy (8bit):6.741886889426235
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:o82N4EhmXBk4iHj4o9dY61XuKrLy2Ip4zqxf1ml67S9H53X:o823hmRP4nB1Xd/9UfIwSp5n
                                                                                                                                                                                                                                        MD5:DF6B90905BA5A757B5AEBF30A7995D63
                                                                                                                                                                                                                                        SHA1:9455806256B55D891E37BFD82DCF97E23D971A10
                                                                                                                                                                                                                                        SHA-256:6F0EED405685E1C4683A31C99D9CBD18DCF911006E989403C2DEBE019E4F3408
                                                                                                                                                                                                                                        SHA-512:0E6DC15F1E2E1E51F765A607CA70FB7080D77E8D6E70CD46AC24CAA152B1C127F4C7D3271C0DE75F99EB9414F39834775E52A4AED70B8C4EA6D0966E13751F4F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...i.#..........." ..0..8.........."V... ...`....... ..............................Q5....`..................................U..O....`...............@...=..........8U..8............................................ ............... ..H............text...(6... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............>..............@..B.................V......H........,...(...................T......................................:........(....*..0.....................}&......}'..............(.........*...0..A...................}(......})......}*..............(......,..(....(....*N.-..* ..... ...._`*....0...............{7... ..@._,....,[s.......{7...(........(........(.......(.........Y.....1.r...ps....z....(....&.(.....(....*(......{7...(....f_}7........(....*....0..........~..... .........(.......|0... .b)" .a.. .K.. .....%.4.k.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\EDR\System.Data.SQLite.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):371096
                                                                                                                                                                                                                                        Entropy (8bit):6.100168275482452
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:oruNWxFaLx73+nRo2GGmZ2CRGpAM3JUGuT5up6zOPLyU0SJFNFaFeFOFwcGF6cmg:nNWx6xz+nRo2GGWHQZMaLyJSJFNFaFeL
                                                                                                                                                                                                                                        MD5:FB34DB7D234217C97B772744744D57D1
                                                                                                                                                                                                                                        SHA1:939FADB9DF69E05ADE51B39E9C46F88874F70801
                                                                                                                                                                                                                                        SHA-256:670A83169E1EAB80AB4B09A8FFB5C1E7CF3ACDC3B62E5C7BE693511198DFC334
                                                                                                                                                                                                                                        SHA-512:9678EA78B0DFA541E634667FC9A2E00087B37ACA30B4B6FC4555463630D27CFF2FDFD34163256A0A6EDB7BD1EC9E4F371232B5434FFA0D0D9F5C1BE06C810464
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.].........." ..0..b..........j.... ........... ....................................`.....................................O.......$............l...=...........~............................................... ............... ..H............text....a... ...b.................. ..`.rsrc...$............d..............@..@.reloc...............j..............@..B................L.......H...............................`~......................................:.(:.....}....*..{....*:.(:.....}....*..{....*...0...........~;...}.....r...p}........(......~;...(<...,r.....s....}.......}............{............%......(=....%...:....%...!....%...%.........%....%.........s....(....*z.{....,......(=...o>...s?...z*..0..'........{....-..(......o........(A.....}.....*..................0..T........{....,K.{....o@....+...(A......(B.....,..o;.....(C...-...........oD.....{..

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):23448
                                                                                                                                                                                                                                        Entropy (8bit):6.823348330234385
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:HgTOodhW1YWxvYrjb8vU8vMXa/rl9qX2Ip4xQrqjdAA1m5wMPhzmufjKNN:HgbSzxXuKrLy2Ip4xaqxf1mlZxfjK
                                                                                                                                                                                                                                        MD5:807A6CB667962F8E756EC68A9C52C6F0
                                                                                                                                                                                                                                        SHA1:07FD8C257463155077FD02A078D260DB31EE1B32
                                                                                                                                                                                                                                        SHA-256:24840E809B51E097F8E9DCCF6DC18C7BD3F039DFF7EB757CCDA1F5B8DC4D346D
                                                                                                                                                                                                                                        SHA-512:01F862EEA97EA2405EC3FB8933E9C4D6870339AFF8B8033AC153191FBBA6863368D58CD657138174B821082BE6A6611326B62C48344DDA3CFF85E3ADB35D4322
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...-..[...........!.................1... ...@....@.. ..............................n.....@..................................1..K....@...................=...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................1......H........#......................P .......................................X-U....F.KN....?2t...}u.E..6Y....ur.-.Z...q....n...K.l.%p..J$..oq~.....]t......)...G.......dj..889b.3. ..Yfap....(r$o.0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0................*..0...............*...0...............*...0..........

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\EDR\TraceReloggerLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):22928
                                                                                                                                                                                                                                        Entropy (8bit):6.938150900169084
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:CZoMeAKyr1jSC6Lrjb8vU8vMXa/rl9qX2Ip4UmqjdAA1m5wM6guu89QnJ:CZoMbKK1OB0XuKrLy2Ip4Umqxf1ml67U
                                                                                                                                                                                                                                        MD5:B85E3F07D87D8902ADDB67A5A25DCD8D
                                                                                                                                                                                                                                        SHA1:801397DFB182F4AE399D3B2B3666CE54548F25C2
                                                                                                                                                                                                                                        SHA-256:45B1E8A4F89EEE61E6F442C8D2D6DB73FFA11998DDEE559646B980B8BEBD3389
                                                                                                                                                                                                                                        SHA-512:E844151A6A798C5A4E927861B7D2C8F54FF3A3FECAF2952CF86D573FD41C8F6FBB6D1505F10A7DC275AAB3BC2C72A999533DF0913E2053040D6D51099FD43689
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...K.NZ...........!.................2... ...@....@.. ..............................A.....@..................................1..S....@...................=...`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................2......H........ ......................P .......................................t..Ar..(9...8.7.Y*(...x.R.[#.e..3.A.8]...a?..o...W..%...,U.8Rn...^..?N ...0....f..X...G.P..Z.X.....ih.Du.UPxSh.............BSJB............v4.0.30319......l...h...#~......d...#Strings....8.......#US.@.......#GUID...P.......#Blob...........W.........%3................)..."...'.........................................p.........).....L.....d.....r............................................... .....5...

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\EDR\Uninstall.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):95888
                                                                                                                                                                                                                                        Entropy (8bit):6.979387624097294
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:6suNLvSFVVeozLpPu0jgbWjjWcJorX/wC/wPqaWVxEQXd/9afIwk+K:61NjcVVnLpPun8jvqPw5fcsK
                                                                                                                                                                                                                                        MD5:04D6FAB8E26F6FFD340421FAF478EA32
                                                                                                                                                                                                                                        SHA1:65EB8B02BE71D4DB324A6BD3245A0A87EAA69205
                                                                                                                                                                                                                                        SHA-256:785F73393DB4FD94317F418210CE54B0244DA1A133CFC9F5A021CB845C86204B
                                                                                                                                                                                                                                        SHA-512:8792737CDD96586A0D45D7960C89B9EC4455C89AE3621548E0FB4DC14D6B75CFDD9B746BC8CCFA60E1207C31AC32AF0F3D61FDD8C77D13B4408EF23D6A319EEF
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L....Oa.................f...*.......4............@..........................p............@..............................................m...........9...=...........................................................................................text....e.......f.................. ..`.rdata...............j..............@..@.data...8............~..............@....ndata...P...............................rsrc....m.......n..................@..@................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\EDR\amd64\KernelTraceControl.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):234392
                                                                                                                                                                                                                                        Entropy (8bit):6.306142595339087
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:jX5gE72vcK8s7pTxEl7Onygi9wDO4z4WSYB0JuPrOAjT//P2jVFU13b:jXX20y7HNz14RU0J/AL2bU
                                                                                                                                                                                                                                        MD5:EABFA6D30958DFD680BFCE6EC445FBEF
                                                                                                                                                                                                                                        SHA1:70AFAF8D23307CDD84BFB1DC95A403D1E831EB69
                                                                                                                                                                                                                                        SHA-256:99B0C66A5160F712936A38D49B540CA3900A7FADAF0E979E8340565283F8CCDF
                                                                                                                                                                                                                                        SHA-512:64B8A49C349923CB24FE7BDC05CE3A16CD51EB25C8CCAC2C4013CBE7ECB3BED6922CE01F6A898C6F1A93BF7F4793823161BCC74B0F212810C2BAB339F0365783
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......>..jz..9z..9z..9.$b9y..9.$a9w..9z..9...9.$|9i..9.$}9{..9.$d9l..9.$`9|..9.$~9{..9.$c9{..9Richz..9........................PE..d....S.V.........." .....l...........H..............................................r.....`A........................................ %.......%...............P.......V...=..........p...8........................... ........................$..@....................text...5k.......l.................. ..`.rdata...............p..............@..@.data........@.......*..............@....pdata.......P.......,..............@..@.didat.......p.......J..............@....rsrc................L..............@..@.reloc...............R..............@..B................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\EDR\amd64\msdia140.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1692048
                                                                                                                                                                                                                                        Entropy (8bit):6.3268193552533
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:q+8Gg7kWyJnk8kvXfX+WquRLvbKG5pkKMV2Dzbcn3P88/UTlXF:q+bWE+TvTRLv/y2DzbcnU8/UTn
                                                                                                                                                                                                                                        MD5:A053F95133678EE390560EEBA995873C
                                                                                                                                                                                                                                        SHA1:8480F75F883516479F8B2ED2E3474D28FB9639F0
                                                                                                                                                                                                                                        SHA-256:0BD3959FE2E702E0A9A16DB29EAD38191CFC92BE29BE861C5CCCE6B6E5AD3294
                                                                                                                                                                                                                                        SHA-512:E57E18C2C2411062B0EED0918CCD5D496D5B1AE63AE487C18001132650F252902EE7E8B8F2F14CAAF7708A73CCFAE4C4DAC1D27CF581045660EE265124CA4CCD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........:..si..si..si.3.i..siS.rh..si..wh..si..ph..si..vh..siS.wh..siS.ph..siS.vh.si.3.i..si..ri".siS.{h..siS.sh..siS.i..siS.qh..siRich..si........PE..d....8.^.........." .................b.......................................0............`A....................................................<.......x................=.......H......8...............................0...............p............................text...~........................... ..`.rdata..\...........................@..@.data...(........b..................@....pdata...............,..............@..@.didat...............8..............@..._RDATA...............:..............@..@.rsrc...x............<..............@..@.reloc...H.......J...J..............@..B................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\EDR\amd64\msvcp140.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):589712
                                                                                                                                                                                                                                        Entropy (8bit):6.462659599239292
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:Wt8MRN4gE4x4iTqwTQa6IUqXF7XyxpypsdUDqNSfbQEKZm+jWodEEV3Ht:WCMm9pyp35bQEKZm+jWodEExN
                                                                                                                                                                                                                                        MD5:675BDEDEF1D527BC0BF545A3E68597A8
                                                                                                                                                                                                                                        SHA1:A4A9956F52FE6CA64AAEE173F550E1CA140567DB
                                                                                                                                                                                                                                        SHA-256:113754C3AB1CD1218C0CAE117462468BC0EE7A17FE42906766891EA77A125565
                                                                                                                                                                                                                                        SHA-512:15FC34E47537B4E9C43636411D39D1F62ED629D7AAC1CFCBA8C7A67A95FEC71C33B743BD21B610A9A6D542F1677CD4A97EF9D2D38C8EACE26EBE087173CFA16E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......n...*...*...*.....w.(...#...<...*......./.....".................+.....g.+.....+...Rich*...................PE..d...R8.^.........." .....>..........p"....................................................`A........................................ m..h....G..,...............(;.......=......4.......T...............................0............P......Ti..@....................text....=.......>.................. ..`.rdata.......P.......B..............@..@.data....:...`..."...P..............@....pdata..(;.......<...r..............@..@.didat..h...........................@....rsrc...............................@..@.reloc..4...........................@..B................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\EDR\amd64\vcruntime140.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):100752
                                                                                                                                                                                                                                        Entropy (8bit):6.564518012256782
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:uy6+2mUD0uBFRXqYue/o+18iBH5T7heunxr98nZXR9xecbSQ2b5Xd/9I4fInfLN:ulXfRXqQw+PHLrCZh9xecbStuZh
                                                                                                                                                                                                                                        MD5:A70BB7881B7B8F7B58F0FF594FF2715B
                                                                                                                                                                                                                                        SHA1:3458CD0E84D245EB71A8B9D1C4AF986FE4392585
                                                                                                                                                                                                                                        SHA-256:211A992FC9188CB1E0D2845D9BDBA98FF361F69F351B493DC9744F9A10A17B2D
                                                                                                                                                                                                                                        SHA-512:EB499174A72CF69E987BD011FC0F88A9D6D346F77BD1BEE6A927BCB1A21862E7117A4C802E9242F1E44A26920EB42F8E01959AE177BAC37DFE32814FB0610C5F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......!/.NeNl.eNl.eNl....gNl.l6..nNl.eNm.INl..>o.hNl..>h.uNl..>i.zNl..>l.dNl..>..dNl..>n.dNl.RicheNl.................PE..d...M8.^.........." .........^...... .....................................................`A........................................`1..4....9.......p.......P.......L...=..........H...T...............................0............................................text...b........................... ..`.rdata...?.......@..................@..@.data...0....@.......4..............@....pdata.......P.......8..............@..@_RDATA.......`.......D..............@..@.rsrc........p.......F..............@..@.reloc...............J..............@..B........................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\EDR\amd64\vcruntime140_1.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):43408
                                                                                                                                                                                                                                        Entropy (8bit):6.641781477989817
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:3JnUUV7xPg4RdPvv1DHkhhe0XuKrLy2Ip4q3Yqxf1ml67098:3aY7XN7Ie0Xd/9whfIw0O
                                                                                                                                                                                                                                        MD5:85D9B050AFCB448B3B566FA9C100FEDA
                                                                                                                                                                                                                                        SHA1:BCBC96074B75E92258487A499FA7B4A153A7B45B
                                                                                                                                                                                                                                        SHA-256:5AB3EE27263A26E543A78003C8A34947059561778C60D03E225A686E70EDEDFB
                                                                                                                                                                                                                                        SHA-512:9B6666C4792DF2720B3AAF365E954BC2EB596CBCAA40476F752A45FE2CD206EFDB9D7D993BADD4AAD50E7B58D5B7A143512986EF667A446C9AF7D733DF690B59
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........h..j...j...j....l.h....y..h...cq..a...j...[....y..o....y..m....y..p....y..k....y|.k....y..k...Richj...................PE..d...Q8.^.........." .....:...4......pA...............................................,....`A........................................Pk.......k..x....................l...=......8...(b..T............................b..0............P..X............................text....9.......:.................. ..`.rdata... ...P..."...>..............@..@.data................`..............@....pdata...............b..............@..@.rsrc................f..............@..@.reloc..8............j..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\EDR\rsEDRLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1055632
                                                                                                                                                                                                                                        Entropy (8bit):7.609326256881525
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:GFQ4buC6FnwuQdq4Ia/xGUMdqlR9qbOA0eFInZk4q:emwzJzxadtn0eFqZhq
                                                                                                                                                                                                                                        MD5:92FC8CB50E50DCAAAAF3C6A03EA998BA
                                                                                                                                                                                                                                        SHA1:30849FA6F200520EE60F0EA8EC57ADDF3D7990E8
                                                                                                                                                                                                                                        SHA-256:6B9D6532E2F3C1E8D1FE54DFED686320BAA5AA868B2441B2DE1C6808A2E42A11
                                                                                                                                                                                                                                        SHA-512:CF18CD5F7217030BB1435C15330C16DAE90DF83B071CF147ABFFFA8E72A39A0A8BD3FDEF0ADBD9DFB5596030E4397EE1DBB8D36DC41936D578CB27AA62A0507B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\ReasonLabs\EPP\EDR\rsEDRLib.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...S/K............!..0.................. ........@.. .......................@......J.....`.....................................K........................=... ......z................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H......../...............................................................(....(....*:+.(..6h.(....*..0.............*AL......@...K.......c...................K...;...........2...n...................*....0.............*AL......D...D.......^...................E...@...........T...P................0.............*AL......X...F.......;...............{...B...Y...........F...d...................*....0.............*AL..........D...W...^.......................Y...........F...[...........

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\EDR\rsEDRSvc.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):159640
                                                                                                                                                                                                                                        Entropy (8bit):6.226309515756256
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:4448zyHAy8RGpQpLIPqYKu+5oPvRP9LTKY96rhv4qE1U:nRLR2QNSqYKbo3l9n6v4qE
                                                                                                                                                                                                                                        MD5:C64D2D5089D1D180C4270D2ADF6287FD
                                                                                                                                                                                                                                        SHA1:A79A4CA15525BEC2E63814B7646B82EB7F29FBE4
                                                                                                                                                                                                                                        SHA-256:26BB060719A56E5035ABE011DD4E8EA51481ABB96A320AACC86D384436DE2A92
                                                                                                                                                                                                                                        SHA-512:07B34741B91E11F38BC3FD3727D0A44BD37FF3D9C7F6B363D72EB9CD44D2D8D3F9BE71620341B026FD4F254116D4C102A588A44B06498629E3BB71E292B54EEF
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\ReasonLabs\EPP\EDR\rsEDRSvc.exe, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....c..............0..(............... ....@...... ..............................^l....`...@......@............... ...............................`...............2...=...........F............................................................... ..H............text....&... ...(.................. ..`.rsrc........`.......*..............@..@........................................H.......................@....1...F.......................................(....(....*:+.(..C1.(....*..0.............*A4..........Q.......................s.......m........0.............*........Q_.m.....0.............*......K..f.............m.....0.............*.................0.............*.(....(....*....*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*....0..........+.(*.]. ........8...

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\EDR\rsuser.Core.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):334224
                                                                                                                                                                                                                                        Entropy (8bit):7.161823072815351
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:XUkuU/9vnxhTmdaXlumDgLhhgV+AhV30ZwI+3F:Eg9vn+dSBDahgEADuO
                                                                                                                                                                                                                                        MD5:E5C0072846D3C2BE3E3B4B365633E09D
                                                                                                                                                                                                                                        SHA1:49113E32029E12A17D8F15B09E310E83EFFD1690
                                                                                                                                                                                                                                        SHA-256:79DE62DF50238C96D2C6C23D967B1C273A91C12AB866B1A9C3582E572A37BD1A
                                                                                                                                                                                                                                        SHA-512:E00E8F6E96A49120436F4C81C7DB8321DD731ECEBEF7C959967A2C5DB72448C279CDAC7415928C839673D65879E2E3A43FC0A259A8302822156BE9463D265805
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files\ReasonLabs\EPP\EDR\rsuser.Core.dll, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\ReasonLabs\EPP\EDR\rsuser.Core.dll, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files\ReasonLabs\EPP\EDR\rsuser.Core.dll, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\ReasonLabs\EPP\EDR\rsuser.Core.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...npA............!..0.............N.... ........@.. .......................@......o.....`.....................................K.......h................=... ....................................................... ............... ..H............text...T.... ...................... ..`.rsrc...h...........................@..@.reloc....... ......................@..B................0.......H............/..............'...4........................................(....(....*.0.............*AL..........K..._...;...................,...;...........]...V...................*....0.............*AL..........I.../...;...............j.......@...........8.......W............0.............*AL..........K...g...;...............p...%...Y...........;...b...................*....0.............*AL......Y...D.......c...................f...@...........d...L................0..........

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\EDR\rsuser.JSON.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):139152
                                                                                                                                                                                                                                        Entropy (8bit):6.186456404481232
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:z2DD4JcSb+rfzHr+fWPu0yHHFx9EqJvhSYNBcFFlngCTltxeR8LmsvDHXd/9hfIp:0P++X9W0gFx9B9N+FFhgCThLms7Gp
                                                                                                                                                                                                                                        MD5:FA2DB411B3DD721FE67AD32174A98EEE
                                                                                                                                                                                                                                        SHA1:BC7689F687C98363CA6788FDC9DFB94DA0626B28
                                                                                                                                                                                                                                        SHA-256:4071DD71B3CD982288C4A3BFB4299B73DD8AB614808F98E8CD3AFB12904B01B8
                                                                                                                                                                                                                                        SHA-512:355052BBA81666EB4B2759C67761A952D6EBF0C9B7A29BF81A2C87138227CEF307FE15FDA1F7139511D6A7DA54928CD4A170125861A25C16EB57DC032AA07397
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\ReasonLabs\EPP\EDR\rsuser.JSON.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....2............!..0.................. ........@.. .......................@......N|....`.................................@...K.......h................=... ....................................................... ............... ..H............text........ ...................... ..`.rsrc...h...........................@..@.reloc....... ......................@..B................p.......H........_...o..........d....%..q........................................(g...(....*:+.(8L`@.(]...*.....*.......*.......*.......*.......*.......*.......*....0.............*....*.......*....0.............*.................0.............*....................*.......*.......*....0.............*....*....0.............*........1E.......0.............*......&.Sy......B(g...( ...(!...*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*...B(g...(]

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\EDR\rsuser.Loggers.Application.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):146328
                                                                                                                                                                                                                                        Entropy (8bit):6.271781309296395
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:mmFLQiVm1Ie2cDQHOhsK21h8iFT9Z6avH6SCZl5:PQwm1IeSHOeKmmOC
                                                                                                                                                                                                                                        MD5:5DBA81D4497B9119276E350D1874A023
                                                                                                                                                                                                                                        SHA1:3C5D30A825819D56D45D9B87CDE732C461E9FF15
                                                                                                                                                                                                                                        SHA-256:8D2DF55BA281F23750CA44C216E10E1AAE46A2AC0778B7B25AF593174E5FD44E
                                                                                                                                                                                                                                        SHA-512:97EF88D7C6FE7AA0770B4CA0EF3F10FEC378908E8D93CE93C8741C4B63428B2438F66655399925911EABB94DB4EC1A935CE7C4CBCB8C6C25DDEF0422E7FF7163
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\ReasonLabs\EPP\EDR\rsuser.Loggers.Application.dll, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\ReasonLabs\EPP\EDR\rsuser.Loggers.Application.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...9.I............!..0.................. ... ....@.. .......................`.......S....`.................................`...K.... ...................=...@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......pc...w..........$...q5...........................................(q...(....*:+.(..d>.(g...*..0.............*.0.............*........g..;.....0.............*.................0.............*.................0.............*.................0.............*........**.......0.............*.................0.............*........**.......0.............*.................0.............*........**.......0.............*.................0.............*........ff.......0..........

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\EDR\rsuser.Utilities.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2261392
                                                                                                                                                                                                                                        Entropy (8bit):7.596635208236842
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:xdm0hCMOJwV1isz+0DxhCHPpdiiobYCI3:x45HWgszsKQ3
                                                                                                                                                                                                                                        MD5:082DF91E4B91C8DF7278B78AA7A58E8F
                                                                                                                                                                                                                                        SHA1:6A36616E6B9099E96F1C9ADCD157F82CED250A23
                                                                                                                                                                                                                                        SHA-256:7EF34C6C21B2EFBD95B429B7EF4E98BDE72F02625F2DB32D91FD4A6F9A668BC5
                                                                                                                                                                                                                                        SHA-512:80B1AE01A8C61C90FE038DD554BA3C412DBA2D55CB860643EDF8EAF73D31A0188C9E14C729CB3CD8AF5AFB285763172A7474064506AA1BDC09589ED5F2A32A21
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files\ReasonLabs\EPP\EDR\rsuser.Utilities.dll, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\ReasonLabs\EPP\EDR\rsuser.Utilities.dll, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files\ReasonLabs\EPP\EDR\rsuser.Utilities.dll, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\ReasonLabs\EPP\EDR\rsuser.Utilities.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................!..0..:"..........X".. ...`"...@.. ........................"......R#...`..................................X".K....`"..............D"..=...."....._X".............................................. ............... ..H............text....9".. ...:"................. ..`.rsrc........`"......<".............@..@.reloc........"......B".............@..B.................X".....H........L...h..............Jg...W"......................................(....(....*.0.............*AL......_...K.......@................... ...@...........]...V...................*....0.............*AL..........D...-...;...............j.......;...........8.......W............0.............*AL..........K...Z...;...............p.......@...........[...P...................*....0.............*AL..........D...X...Y.......................;...........h...m................0..........

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\EDR\x64\SQLite.Interop.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1647512
                                                                                                                                                                                                                                        Entropy (8bit):6.550972079195606
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:UKBZFqX8TvXzlaPmAA6rKmEOwksSf0WB:UK3/z0h
                                                                                                                                                                                                                                        MD5:F2A63723D85FC101F8F05CBA3C5B7E19
                                                                                                                                                                                                                                        SHA1:D8A734E09E4C5A217B967AEA8625FED6EE918C0A
                                                                                                                                                                                                                                        SHA-256:6C13F1D771143863E14996375EE896AB031335F15FF1BB8C9596F5F002FB888E
                                                                                                                                                                                                                                        SHA-512:78216B98C3368ABF2D2C3C3A3C159D207439AF4D06DBAC53E6B2F6F1F5D63CB2962B91B7AC34DEE7C2607FE33ACEF6BC61A2AABA953D7D5E05188332ABE76766
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O..7...d...d...d.i.d...d.i.d...d.i.d(..d0..e...d0..e...d0..e...d..=d...d...d...d...e...d...e...d...d...d...e...dRich...d........PE..d....<.].........." .........J...............................................@............`..........................................V..X1......<.......<................=... ..$.......p............................................................................text............................... ..`.rdata..............................@..@.data....L.......6..................@....pdata..............................@..@.gfids..............................@..@.rsrc...<...........................@..@.reloc..$.... ......................@..B........................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\InstallerLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):317848
                                                                                                                                                                                                                                        Entropy (8bit):7.146218351014782
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:vzN2ayl00Bli2pN7B88TkpWNLDWbCp78+ZNy:eNiW/kpWNLCUVZ8
                                                                                                                                                                                                                                        MD5:C3B43E56DB33516751B66EE531A162C9
                                                                                                                                                                                                                                        SHA1:6B8A1680E9485060377750F79BC681E17A3CB72A
                                                                                                                                                                                                                                        SHA-256:040B2E0DEA718124B36D76E1D8F591FF0DBCA22F7FB11F52A2E6424218F4ECAD
                                                                                                                                                                                                                                        SHA-512:4724F2F30E997F91893AABFA8BF1B5938C329927080E4CC72B81B4BB6DB06FE35DAE60D428D57355F03C46DD29F15DB46AD2B1036247C0DCDE688183EF11313A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\ReasonLabs\EPP\InstallerLib.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....yY............!..0................. ........@.. ....................................`.....................................K.......|................=..........N................................................ ............... ..H............text........ ...................... ..`.rsrc...|...........................@..@.reloc..............................@..B.......................H.......@...(#..........h...i...........................................(....({...*.0.............*.0.............*.0.............*.0.............*A4......_.......y.......!.......R.......9............0.............*A4......7...x.......c...!...................[...!....0.............*......e.....+.....e....T!....0.............*.0.............*A4..................@.......................q...!....0.............*AL..............................{.......(...........................

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\Microsoft.Bcl.HashCode.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):30104
                                                                                                                                                                                                                                        Entropy (8bit):6.748295341394034
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:/v6lknrJ93rkPKoXuKrLy2Ip4kqxf1mlZxfOKR:qm33loXd/91fInfO
                                                                                                                                                                                                                                        MD5:50588598137EEF5BA8856C56882587CF
                                                                                                                                                                                                                                        SHA1:21F0CC34131C617884053CDE92155F86F4273516
                                                                                                                                                                                                                                        SHA-256:C1C23AF2A68268E8B0903153846F0C1A164FCCC3EEC6A4A82B3E0BDB846E69BB
                                                                                                                                                                                                                                        SHA-512:B94D0D2BE078BC1A1F896D80EF349C5D6B35D6A68DE7D64BDA24A348BD91EBA43E2E54B813BF5A2801D2DD42F994BE5E65B9E0C0D29B8D88D20C54404FBC30D5
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...E.&..........." ..0..............M... ...`....... ....................................`.................................jM..O....`...............8...=...........L..8............................................ ............... ..H............text....-... ...................... ..`.rsrc........`.......0..............@..@.reloc...............6..............@..B.................M......H........,..|...........0J......HL........................................(....*^.(.......!...%...}....*:.(......}....*:.(......}....*:.(......}....*....0..6.......(....-.(.......!......o.......(.....(.......,..o.....*...........+........(....*.0..............(.....*..0..4.............-..+.........o.....(.......X...(......(......*.0..U.............-..+.........o...........-..+.........o.....(.......X...(.......(......(......*....0..w.............-..+.........o...........-..+.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\Microsoft.Diagnostics.FastSerialization.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):80784
                                                                                                                                                                                                                                        Entropy (8bit):6.22990178885766
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:lMGQVC/QSnsZIHMkJAsSQQ11pJXWmDXd/9UfIwEm2:lMGkC/QXI/A6Q11pJXXV3
                                                                                                                                                                                                                                        MD5:2A45A8598EBAF2A707FCA81AF19C1341
                                                                                                                                                                                                                                        SHA1:0FA805BFB2CEFA91EDDE2AF3988B3B1C4141DDA8
                                                                                                                                                                                                                                        SHA-256:1740CD25DF2F91D71D477ABAAB6158A7758FD405A5E749558C0E9E3DBE47EF5E
                                                                                                                                                                                                                                        SHA-512:675CCFD8A89040CED33964305EE79F49ECC469895346701ABD5F87766D0D1B432EAABB6AD4DE5E20E589232003C28518526E37A81B6EB8E925C75264D7D71A98
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....3A..........." ..0.................. ... ....... .......................`......U.....`.................................W...O.... ...................=...@......X...T............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......................................................................0..(........._,..l(2...i...+...]-..*..X...1..*....*.0..S........./.r...ps3...z~.......+.......2..*..X....i2...`.+..(....,...Y.e],..*..X.. ....2..*..0..!.........Z.. ....6. .....1. ....*.(....*&.j.n\.jX*..0............nZ. d.jX.nZ. dm..*b.H.F...%.|...(4........*....0........................,..-..s5...z*Zri..p......(6...s7...zBr...p~~...(....z6.......(....z"..s8...*^r...p..(9...r...ps:...*:.(;.....}<...*:.{

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\Microsoft.Diagnostics.Tracing.TraceEvent.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3168152
                                                                                                                                                                                                                                        Entropy (8bit):5.997214243140455
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:42D77md4XviutkNNnh9k/kCC0Ps6MrwMvAcZU28MHAmXyFlDH3n:rD7y4qutkNlICUTMHlXyv
                                                                                                                                                                                                                                        MD5:9EA408F743441EEB6385D6A1B626C592
                                                                                                                                                                                                                                        SHA1:924621FE0E3B9F9346390FE6A2FEEE7BCE1BC1DB
                                                                                                                                                                                                                                        SHA-256:D1C621DCDD24D71D500F2508E3B5BBC8E6FFDF0671A6E646735E65203A57E2A0
                                                                                                                                                                                                                                        SHA-512:C5800CA19DE8F383775340676ECA760017A70A71973CE369C63084244A84BC16FD7E93DB5445FAB09D3A58C9553725B8AD85606A73A84F36266006291131B226
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....\..........." ..0...0.........*/0.. ...@0...... ........................0.....k.0...`...................................0.O....@0...............0..=...`0......-0.T............................................ ............... ..H............text...0.0.. ....0................. ..`.rsrc........@0.......0.............@..@.reloc.......`0.......0.............@..B................./0.....H........j......................\-0.......................................{_...*..{`...*V.(a.....}_.....}`...*...0..A........u........4.,/(b....{_....{_...oc...,.(d....{`....{`...oe...*.*.*. ... )UU.Z(b....{_...of...X )UU.Z(d....{`...og...X*...0..b........r...p......%..{_......%q.........-.&.+.......oh....%..{`......%q.........-.&.+.......oh....(i...*..{j...*..{k...*V.(a.....}j.....}k...*.0..A........u........4.,/(b....{j....{j...oc...,.(d....{k....{k...oe...*.*.*. B.8' )UU.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\Microsoft.Win32.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20888
                                                                                                                                                                                                                                        Entropy (8bit):6.98338045885249
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:cN9VWhX3WBrjb8vU8vMXa/rl9qX2Ip4kSqjdAA1m5wMPhzmufDvKNN+s:wGNXuKrLy2Ip4fqxf1mlZxfLKy
                                                                                                                                                                                                                                        MD5:7CCEB4E7825ABB1C280D86262F283C55
                                                                                                                                                                                                                                        SHA1:DA8B9B51D35B181FF292A2B62DE3915BDAB89825
                                                                                                                                                                                                                                        SHA-256:0BEF150FE7BF3A5DDA5E8B0739CFC0995C53BA66ECA8B212395FBF4A96ECB29C
                                                                                                                                                                                                                                        SHA-512:8CE1966C70C828DE7EBCF71D6C4FD6A03AA1858118613D3CF93268E244669575C9B382EC99F370CF2FB3D2B626DC79C56EEE5B1AC3C6DD782C87026BDE0A3DE2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............(... ...@....... ..............................<.....@.................................T(..O....@..0................=...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc...0....@......................@..@.reloc.......`......................@..B.................(......H.......P ..L....................&......................................BSJB............v4.0.30319......l...|...#~......<...#Strings....$.......#US.(.......#GUID...8.......#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.7...K.W...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\Microsoft.Win32.Registry.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):31120
                                                                                                                                                                                                                                        Entropy (8bit):6.536147351032049
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:fiE9HCViR9ymljiGXuKrLy2Ip46qxf1ml67/9p:60CViR9ymljiGXd/9HfIw/j
                                                                                                                                                                                                                                        MD5:2B76E8DD3AC9780C6AF1BE438C68BD33
                                                                                                                                                                                                                                        SHA1:610A55533C682DD25B4B66CFE96012E265E852E5
                                                                                                                                                                                                                                        SHA-256:C9B97D55A1496A6FF444B239170E5894492B85DAE3F884B23E34676EE7BC7623
                                                                                                                                                                                                                                        SHA-512:FD7D4F2FCEDE98D34DFA1B8994751330B6F12C61A0364131A5E4CA701A096A5AF01C3342E7E049789E14BF9124CD8A38793BFBA54EEFEB0CC35619D85C8440B3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....oY.........." ..0..,..........6K... ...`....... ...............................T....@..................................J..O....`..(............<...=..........8J............................................... ............... ..H............text...<+... ...,.................. ..`.rsrc...(....`......................@..@.reloc...............:..............@..B.................K......H........"..x...........8<.......I......................................j~....%-.&("...s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2r?..p.(....*2rg..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2r7..p.(....*2r_..p.(....*2r...p.(....*2r...

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\Microsoft.Win32.TaskScheduler.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):349592
                                                                                                                                                                                                                                        Entropy (8bit):6.201624751307207
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:I1sSJApTSnQU/x0ImhuDzHfs4zbYOjujDRfygDgKQINXLLHIaKlay8weCycJ5Dfu:I1sSmRIt/xhtsOju1DH5NXnIKAc
                                                                                                                                                                                                                                        MD5:56B3F42C12986D483A61FC2FD308A64D
                                                                                                                                                                                                                                        SHA1:49C7A73C40030DB2F4CA8E633F36069E44A300FE
                                                                                                                                                                                                                                        SHA-256:A92053D7C7E8F66D0C2875B8EE1793CF3E3ED36AA6827724BA924315CE4EC6E5
                                                                                                                                                                                                                                        SHA-512:454A6CF5BCE2EDE7D9E27664528EB55F03E66D61827D0A47EF03A014DAEEA4B512A8379053DF231B02C7D7DAA38FC461D314247954675E233E33B9E0A5C7295C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..._O............" ..0..............-... ...@....... ....................................`.................................0-..O....@...................=...`......(,..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................d-......H............V..........`...H....+........................................{....*..{....*V.(......}......}....*...0..A........u2.......4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. ..<. )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q5....5...-.&.+...5...o.....%..{.......%q6....6...-.&.+...6...o.....(....*..{....*..{....*..{....*r.(......}......}......}....*..0..Y........u7.......L.,G(.....{.....{....o....,/(.....{.....{....o....

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\NAudio.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):529304
                                                                                                                                                                                                                                        Entropy (8bit):6.091635564632031
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:dnfnRe200wJT4WQ+NOStYVlJHMGwH7fu:5DIrQ+NOS2HMGwHT
                                                                                                                                                                                                                                        MD5:2FF66FF6424A0185E766FD7A691B1ECB
                                                                                                                                                                                                                                        SHA1:E2AF0B394C7B50EB3676DD47839F5158A64780AC
                                                                                                                                                                                                                                        SHA-256:4069590A076155E169C29B8ED331FAFB30F22EC9D7B961DD937DAC70D6EBFA50
                                                                                                                                                                                                                                        SHA-512:28C6FA47D75A73F7D211C4D61F774F2D0E254267E286B890F064E3D3A9E9FDA015B329DE2DFA08161ACDE5901717CD1C93E261987360AEFEB2E8546CD2A73901
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Q............" ..0.................. ........... .......................@......y.....@.................................1...O........................=... ......d...T............................................ ............... ..H............text...\.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B................e.......H........i...[............................................................{<...*..{=...*V.(>.....}<.....}=...*...0..;........u(.....,/(?....{<....{<...o@...,.(A....{=....{=...oB...*.*. ... )UU.Z(?....{<...oC...X )UU.Z(A....{=...oD...X*.0..X........r...p......%..{<........+...-.&.+...+...oE....%..{=........,...-.&.+...,...oE....(F...*r...(....(G.....}......}....*JrG..p.......(H...*2.,...s....z*..{....*N.,...i./...s......*N.,...i./...l......*....0..............+....,..*..X....

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\ReasonLabs-EPP.7z

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:7-zip archive data, version 0.4
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):27472316
                                                                                                                                                                                                                                        Entropy (8bit):7.999983897518164
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:786432:3tuplqsCBNEVGEYUVv9VYkr6uf4bXQUEBX2pzY:3tTeGT6VYkOSmpzY
                                                                                                                                                                                                                                        MD5:1B485EC7EB8E1068E231949F08B6FF2F
                                                                                                                                                                                                                                        SHA1:195C8945DD4851143D0465C83FB6E2EAA4EBCCD0
                                                                                                                                                                                                                                        SHA-256:C1A945BDA6DB55B841ED2D9E35D43B101BF13356A9A16366EA65F319173D5C10
                                                                                                                                                                                                                                        SHA-512:8E86236B2E0D9690F9A628363B13FA51E0F9F7F27CEFE70D7480DBFD894637D14950945CCD5D2342371AFE0BDF2D6FF39C3B0271C7188B11B9516CADF0226A11
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:7z..'.......v1......&........L....u..].......f......{4.Y.!..h.A...z...v..h.G.y.G.bg(6.<C...C....Q.{..U...e.X.-1...6.gQ..(....&../*-.."0NT.z=.U..].....w..:. .b.Vr..5@\~.....p...,.d...o.|jGrBC_..I..X...d<...{...t...v...GP...X.`4k0...J>Ps..+..1.4.JZ...+.`Ka.7.....f......t0...p.i...@..............+...>0.......4-.....!C.>..]I$.....?.3.u... ..%3.$..fZ..P..)L...?.1.b.o"<.j.<......W....!..e..........N......h......`..X.B..'WQt.J....Fc.{...#.u{.x6...Mm....fy'z6.{A.0...W.. Z}..v..N....(...>e...4D Wo..S.....n.G..1A......Qj.4....*.{pG0.f...hW.......*....&._K.&..XA7.Cs#...8.x..0.BB.j....B..&..bs..?.%@.'....9.h..Ms..2....c.R8.Z. 8.x5 ...7,..b.'.*.uJu.]N.D...H.I..z...s^am..@....^...c.w.?.I...x....9..xsl..=.....\E0......*9.}.1..Y..?.).X/.....`..f#,.!.........#.t....f.*?.......o...ti..g.....O"XPO..d4....?.9(F.x.}...%.!.=.cri..d...3xx2.$..u...D.*...w.......u&.@.?..l+3.}.^.....a.t.q..v......*(?....G.Njk.M.T..9.........C.7.e.....^.V.....n....c..l..Kx

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\SQLite.Interop.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1647504
                                                                                                                                                                                                                                        Entropy (8bit):6.551037770160828
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:gKBZFqX8TvXzlaPmAA6rKmEOwksSf0WBJ:gK3/z0hL
                                                                                                                                                                                                                                        MD5:8F995C68E68360A5E357DE8F794BC120
                                                                                                                                                                                                                                        SHA1:ADE1CA64C40A7164303515DCEEC658F1934C25B7
                                                                                                                                                                                                                                        SHA-256:BD25B7406E0A3A8D618A12863007972FDE0DD5359862931EBB4056F3D8E5B6F0
                                                                                                                                                                                                                                        SHA-512:71AB963896279462A114E4A808404303A24D60ABFC1559AFEADE5087D4354982AACCB70DFF11B0E9EFA6376D44BE17072CA0B3EB4E6129051B067362B0ADF0DA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O..7...d...d...d.i.d...d.i.d...d.i.d(..d0..e...d0..e...d0..e...d..=d...d...d...d...e...d...e...d...d...d...e...dRich...d........PE..d....<.].........." .........J...............................................@......W.....`..........................................V..X1......<.......<................=... ..$.......p............................................................................text............................... ..`.rdata..............................@..@.data....L.......6..................@....pdata..............................@..@.gfids..............................@..@.rsrc...<...........................@..@.reloc..$.... ......................@..B........................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\SecurityProductInformation.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):112
                                                                                                                                                                                                                                        Entropy (8bit):4.9372191821953795
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:LBQBIGqr2igRUGLsW7/ZA783dEcsAVCXoA0Ayn:1U2rwRUGZA783dAAVCXoA7y
                                                                                                                                                                                                                                        MD5:AA76741FF18EEF8DADD607315B86815D
                                                                                                                                                                                                                                        SHA1:F71E92F4ABDC7DC7FBEAF8583A8415A83948F2DA
                                                                                                                                                                                                                                        SHA-256:3F8B58A5E9F78367AC1F366488004B409BC1526439D1C3FAA344A95BCA445D32
                                                                                                                                                                                                                                        SHA-512:7FBE625D421AD9A6DFB1AF1956CC4B65320385E05B1013054922E17AFCF990857B8996EED02E2497F978CFAF07460D7EC9487B070BB1287074DD3DA4A5055164
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:[Products] ..Name=Reason Cybersecurity ..Version=3.5.0 ..Company=Reason Software Company, Inc ..Upgrade=FALSE ..

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\Signatures.dat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2022592
                                                                                                                                                                                                                                        Entropy (8bit):5.999974579136952
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:+dK+qRAhQZWnHFRGGbk0kLHYCFOEx3BMHAE4d/R0l7lRmRj5/Kz3PYez2OQJBmx0:eKYdRxknOEx352P57PFj1xVYNcXsn
                                                                                                                                                                                                                                        MD5:FB84325FD7362B5634C4DE62B3A2C001
                                                                                                                                                                                                                                        SHA1:EBB54EC78A071CE47A1C86F47903D56D77B34CF7
                                                                                                                                                                                                                                        SHA-256:23BDCCB16E5900857C621B67C779B2A49179ACA564EEAF1E74FD10C4EB1651EF
                                                                                                                                                                                                                                        SHA-512:D59933302521C9B3EEAD330A38577FAF1DF0378AA926690C6001186D495ABE4FC470BF578BC9DEABD82E26D7B1F8ED446957494122BD65047456C657DC9BADE2
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:LtAADqVO7UZPm5M2i6U0Ut+519EhIs7fDC28Wl1pQ3a5caHSrw+Gx5gPpgKjm6512l6HKUBJcXQoHbNGYOCA49Q3BTXE41yS8brQXEozdrMJ/QdDxGcC56TGJwEI91lQyrkOtRfocRkRscRbJGGAiyLm3qgIwtTxwz1Jjb4Pecxp6sC2gikNX1FsfN9m6z1LyQNZnfcuQ/6nD0PPsgLRx3rKTfu8eICM9LWsz2LcMcH5EgncDPPlUBccIAOoNxcwirnig5V7fYkq5PCmIeJV/foKrhkvtj2sNYOZMBtbUvSWsEGn6a6TOU/Piv2Sl43XCYBaSV+MbZD2Fa7N4XNtgSjNH8CbppSZk5+xCm2MtTAwzdHIONHn1L8zBeGZwdAbocx7Qon0DNvHkJmVNpIMiH03GwfpOb7+a7jO6UjzphzFDZTTetf0odM6bxJE5mmTkX8tHVeJZDsSRtH/kxPrlWwaJ/GDcy18HIbQYhCSoTZ7U2D0D6O+3vJNh/gXcd1/hA9EWe8sZr9+92Z7fQPHW0W1X9gXdbysOmQ53nZiTGa2LVaen84GWnaQmiNuAr8KeAYqKQLpTCHHt8HnwIB+EKPHbi5fTgHNK+5QnHZnexdkrlNEG8iJhoHPW5yMNGtxKY2j6SHQVMPeRC7IyRSSfHZjarSYlrbAwmLjM9omyK9uScT2ZUWhDXLAB5t1g/C+YFWFKgCi/fZM9BZZd6gBosg+t/ajXVDxgq4JXCDTGuarqflQgnAhx9f4UizVRedmiupelpZ7OYPPKxRHxRUXxFaijSPvFqUNjwVHEiq1D2CWLAiq1EmGZBvW5DXozhpi/Ibsj9v1rVkmO365wPql2zKxSwA41CV/ezqtyB2v9YoEFEhD5ovN6/RgP/chRBlu617VTprMUa0OiPA6jkDPVwo+H1iSLxJVFAUW7SgkDPwAmu5aL88lIJz74HBh6gEKsS/qYtzEJHt34OdPBAf+FcrmWK4rQ9vzpdNjNDmX

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.AppContext.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20880
                                                                                                                                                                                                                                        Entropy (8bit):6.966530445827969
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:1DNxWQFW4rjb8vU8vMXa/rl9qX2Ip4eqjdAA1m5wMPhzmufOKNNFpRK:1DNVIXuKrLy2Ip4eqxf1mlZxfOKZpA
                                                                                                                                                                                                                                        MD5:0225A1F05646FA5F3DEBD864E99F809A
                                                                                                                                                                                                                                        SHA1:D1334B6F83A80E60C19E0D05C069748084AC0E1D
                                                                                                                                                                                                                                        SHA-256:A554C0AFFEB187195D6D4AE26C08BD5FE36C2498702B3FBE5458BA0A47E89FA0
                                                                                                                                                                                                                                        SHA-512:CA33A01C05D8F2C2E5577BD83370756D4AB18CE716BA6355D077A630B4A6DD6E6B02BD2A452DAA460098F2F46F6BFF8DB6FD639026E226B3E5074020839F3AB2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0.............f(... ...@....... ....................................@..................................(..O....@...................=...`.......&............................................... ............... ..H............text...l.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................H(......H.......P ......................\&......................................BSJB............v4.0.30319......l...|...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.....K.N...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Collections.Concurrent.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20888
                                                                                                                                                                                                                                        Entropy (8bit):7.0281310811267765
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:pm2igOWnW8rW8rjb8vU8vMXa/rl9qX2Ip49KqjdAA1m5wMPhzmufgKNNoT:ZtSXuKrLy2Ip49Kqxf1mlZxfgK0T
                                                                                                                                                                                                                                        MD5:0DAF72A7AD3372FC687CA12D7C4749BD
                                                                                                                                                                                                                                        SHA1:FAC97440BDF441C8BDC5A9C4AD731284A6BCFB9A
                                                                                                                                                                                                                                        SHA-256:08088DA16D278B423E6381802535AEFAEED19D21AAF63C9FF6D9FF090B4E6A09
                                                                                                                                                                                                                                        SHA-512:698861FFF88E891B8AD3EE29C577981A80F1A4A91BAD0C01BC0BFA283DCD6A5395D5C18FA8C5840858A202086B5579E91292A031DC333F7336F668B97F8C311D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............)... ...@....... ....................................@.................................t)..O....@..D................=...`......<(............................................... ............... ..H............text........ ...................... ..`.rsrc...D....@......................@..@.reloc.......`......................@..B.................)......H.......P ..l....................'......................................BSJB............v4.0.30319......l.......#~..d.......#Strings....@.......#US.D.......#GUID...T.......#Blob......................3................................................n.o.....o.....\...........8...3.8...P.8.....8.....8.....8.....8.....8.....1.....8.................V.....V.....V...).V...1.V...9.V...A.V...I.V...Q.V...Y.V...a.V...i.V...q.V.......................#.....+.....3.....;.....C.:...K.Z...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Collections.NonGeneric.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20880
                                                                                                                                                                                                                                        Entropy (8bit):7.028895954605235
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Bnapn1iwwPWcGWHrjb8vU8vMXa/rl9qX2Ip45UqjdAA1m5wM6gu+9QnE:oDuoXuKrLy2Ip46qxf1ml67+97
                                                                                                                                                                                                                                        MD5:44D97E1FD4F365533035FCFA5248B9A8
                                                                                                                                                                                                                                        SHA1:948934073B180D8307A8D62DB505030C8DA97B91
                                                                                                                                                                                                                                        SHA-256:F39E21D741C01A3D0F958A6C49A32098BEE12510893B82900D607A6E683D8157
                                                                                                                                                                                                                                        SHA-512:AAF817A5121FDBDD612541316289FA042D8D51E9E795F8C188E005682D0016BB96EA003AAD0127942D8137CA5639FE272CDAF46F376F151C4892788DF281B15E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ..............................Y.....@.................................p)..O....@..@................=...`......8(............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................)......H.......P ..h....................'......................................BSJB............v4.0.30319......l.......#~..t.......#Strings....<.......#US.@.......#GUID...P.......#Blob......................3................................................F.o.....o.....\...........,.....,...(.,.....,...f.,.....,.....,.....,.....%.....,.................V.....V.....V...).V...1.V...9.V...A.V...I.V...Q.V...Y.V...a.V...i.V...q.V.......................#.....+.....3.....;.....C.:...K.Z...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Collections.Specialized.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20888
                                                                                                                                                                                                                                        Entropy (8bit):7.0314877457727425
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:LHLaEav5aaUa6arWVLWtrjb8vU8vMXa/rl9qX2Ip4P41qjdAA1m5wMPhzmufMKNN:CPv5t/NONXuKrLy2Ip4P6qxf1mlZxfMK
                                                                                                                                                                                                                                        MD5:16B39EF850E60BC3F738A89F24918B15
                                                                                                                                                                                                                                        SHA1:D3F463B2EC7FDC4843711A0484E361E7CBBD4079
                                                                                                                                                                                                                                        SHA-256:A0CCBE7BE2456CEFFB4304E92AB5546A09FD81FE93451A54775DA3B283266078
                                                                                                                                                                                                                                        SHA-512:C8B1CE60C2738F8FFE81E48C57CF3219EC279C9948ED4C79EC6F91622CDCB5FA0107B96BA2F93CF4CACDA292883DE5EDCE65AB4711455DFC3A1E9990FEC96D67
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............)... ...@....... ...............................L....@..................................)..O....@..P................=...`......P(............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..........#Strings....T.......#US.X.......#GUID...h.......#Blob......................3..................................................`.....`...t.M.................................=.....V.................q.....Z...................G.....G.....G...).G...1.G...9.G...A.G...I.G...Q.G...Y.G...a.G...i.G...q.G.......................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Collections.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):21392
                                                                                                                                                                                                                                        Entropy (8bit):6.924729376618118
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:H6iIJq56dOuWSKeWxrjb8vU8vMXa/rl9qX2Ip4fwBLqjdAA1m5wMPhzmufxDPKN8:diAWXuKrLy2Ip4fwBLqxf1mlZxfJKDi
                                                                                                                                                                                                                                        MD5:3F39D01E6E4604F59FE759ABBFD0F884
                                                                                                                                                                                                                                        SHA1:810C9440EB653DCCF3BC272C915179AC1937C83F
                                                                                                                                                                                                                                        SHA-256:45DA3BB6BB0F24A8B331152FBD1DC9462C09F28B69F8B8E54B4CBE8265D90233
                                                                                                                                                                                                                                        SHA-512:95D10E2C08CB82D298776FB27E6E70151D418E307AAC246BFE37320DCA1EB88137F059EA418C7154D123E920E555A3B95E523FDE2045608E51C520E11937C74D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............*... ...@....... ...................................@..................................*..O....@...................=...`......L)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P ..|....................(......................................BSJB............v4.0.30319......l.......#~..|.......#Strings....\.......#US.`.......#GUID...p.......#Blob......................3................................................k.~.....~.....k...........*...0.*...M.*.....*.....*.....*.....*.....*.....#.....*.....x...........e.....e.....e...).e...1.e...9.e...A.e...I.e...Q.e...Y.e...a.e...i.e...q.e.......................#.....+.....3.....;.....C./...K.O...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.ComponentModel.EventBasedAsync.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):21400
                                                                                                                                                                                                                                        Entropy (8bit):6.9610386735642305
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Snzz+MpSaLWW0+WXrjb8vU8vMXa/rl9qX2Ip42qjdAA1m5wMPhzmufOKNNp:EpugXuKrLy2Ip42qxf1mlZxfOKF
                                                                                                                                                                                                                                        MD5:20719E9DCCBF805EBCD480376BE2AE87
                                                                                                                                                                                                                                        SHA1:F9EE88A22EB85333D57C20D1522CF4D45CD1F36B
                                                                                                                                                                                                                                        SHA-256:804FDBF60770DB33640E5841693B26EC9706ECCE8F41A65BD04575C318535431
                                                                                                                                                                                                                                        SHA-512:F3166F58C1E559F39184BE4C71E3A6C0B5E7DBE633A837AB658CF0DCAA3ADC8DAA810C10E6A9A512260E76C5CDE6F0E0A60F8020968CD8FC4A88A71A24563A5D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............B*... ...@....... ...............................*....@..................................)..O....@...................=...`.......(............................................... ............... ..H............text...H.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................$*......H.......P ......................8(......................................BSJB............v4.0.30319......l.......#~..t...@...#Strings............#US.........#GUID....... ...#Blob......................3............................................................V...........j.................i...........8.................S.....<...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.'...C.B...K.b...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.ComponentModel.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):21392
                                                                                                                                                                                                                                        Entropy (8bit):7.000231156234026
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:KGhr+YUfyHxsW/HWprjb8vU8vMXa/rl9qX2Ip4PqjdAA1m5wM6gux9QnqU:5kmlXuKrLy2Ip4Pqxf1ml67x9PU
                                                                                                                                                                                                                                        MD5:15E4E6290082BD43AAD834702A2A06A6
                                                                                                                                                                                                                                        SHA1:287C5E914A7CDA489DE3114E9C94EA005E7403D2
                                                                                                                                                                                                                                        SHA-256:E54A455C7FAE86DD9C038F8BEF1EBF7ADAEAA10CC9A221AC00E15D845EE1A9E6
                                                                                                                                                                                                                                        SHA-512:029328BF0F9C5E6E1AD9413B67186CE1FB91E94D80C854FCA6D3C320AF3F0A192473197F5BA98B5A6C2851E17E3C620AF61D26F7FE097D0429647178DBF488D7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............+... ...@....... ..............................!f....@.................................<+..O....@..`................=...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B................p+......H.......P ..4....................)......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3................................................Y.]...{.]...6.J...}.....r........... .............................................................D.....D.....D...).D...1.D...9.D...A.D...I.D...Q.D...Y.D...a.D...i.D...q.D.......................#.....+.....3.....;."...C.=...K.]...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.ComponentModel.TypeConverter.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):22424
                                                                                                                                                                                                                                        Entropy (8bit):6.942136447552979
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:GRE+ruiA5vzWeNW6rjb8vU8vMXa/rl9qX2Ip4EYqjdAA1m5wMPhzmufHKNNp7:GS9buXuKrLy2Ip4rqxf1mlZxfHKV
                                                                                                                                                                                                                                        MD5:C34F9F75CA547AF817CA3A605EF03113
                                                                                                                                                                                                                                        SHA1:A1882FF229DC9DE3B2DF7A7964701EC183926FFF
                                                                                                                                                                                                                                        SHA-256:7BB369B0BC6B9A31102191B57A5C5C15700BD0660B11D9FBD3323D1BDD8D232B
                                                                                                                                                                                                                                        SHA-512:7B82C09D28E620EC8616EF5C1DD9E323EAA6E5947D002D241DF530E1161515DD3F2FFAF482514E763C8E0BFF9E66E1B44052486C0CE4E48E8895E43E033D29E8
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0............../... ...@....... ....................................@................................../..O....@..p................=...`......T................................................ ............... ..H............text........ ...................... ..`.rsrc...p....@......................@..@.reloc.......`......................@..B................./......H.......P .......................-......................................BSJB............v4.0.30319......l.......#~......@...#Strings....T.......#US.X.......#GUID...h.......#Blob......................3................................;.....Y.........8...........<...........P.......................X.....q.....g................."...................I.....I.....I...).I...1.I...9.I...A.I...I.I...Q.I...Y.I...a.I...i.I...q.I.......................#.....+.....3.....;.%...C.@...K.`...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.ComponentModel.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20888
                                                                                                                                                                                                                                        Entropy (8bit):6.996205436159153
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:yT+6ywnVvW0LW6rjb8vU8vMXa/rl9qX2Ip4Z8eAFqjdAA1m5wMPhzmufkKNNei:y99IXuKrLy2Ip42HFqxf1mlZxfkKy
                                                                                                                                                                                                                                        MD5:841D3A47B0A9AA2DD3A432145297D4AF
                                                                                                                                                                                                                                        SHA1:AAA921230662648F957199D92DC1D90BCF4CDC2A
                                                                                                                                                                                                                                        SHA-256:A9DA92E00CCBF4308C5BF2B1FA362D54CC1E1F96566F36BE32878BB9587D2AA8
                                                                                                                                                                                                                                        SHA-512:15D8C659F31B84D09B0DBE50C21F5A921531F86689F839A6B793797CF945E7BAAD20D102D72E598B10F76C663B9CCC6F231531908772E39C3FC619039AA84A4F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ....................................@..................................(..O....@...................=...`......|'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~.. ...h...#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0.....7.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.2...K.R...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Console.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20880
                                                                                                                                                                                                                                        Entropy (8bit):6.9934124733376875
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:lRbzriaXT+WlEWbrjb8vU8vMXa/rl9qX2Ip41xqjdAA1m5wM6gu09QnKFU:37ic6XuKrLy2Ip41xqxf1ml6709m
                                                                                                                                                                                                                                        MD5:B665DE01A6136F009203C723F64D8C35
                                                                                                                                                                                                                                        SHA1:C5A21F9E1903BE176921E891A9DDF03FE2E7DAC5
                                                                                                                                                                                                                                        SHA-256:446AB9BC47913BD7CBDB0922FC185B809E38E5B6E2B75133088080DDA6A7AD9C
                                                                                                                                                                                                                                        SHA-512:ED455BA792F8241C3F0A56AE3BCA308D8EEEFDF851BD6EEB9C3EB0F30851317C906686F7EC828557525D402897E52F1994FD5A543F8024D15C65F5C5A67C6B36
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............6)... ...@....... ....................................@..................................(..O....@...................=...`.......'............................................... ............... ..H............text...<.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P ......................,'......................................BSJB............v4.0.30319......l.......#~..H...x...#Strings............#US.........#GUID...........#Blob......................3......................................................k.....?.....$.....S.................R...........!.....j...........<.....%...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.+...K.K...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Data.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):154000
                                                                                                                                                                                                                                        Entropy (8bit):5.518889734507558
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:OdYO+3m9R6e1x03BZ6bDSzZ8B0uAP+hI2:c+2jv1x0ebezWiujX
                                                                                                                                                                                                                                        MD5:73A54500C9E3331A4F75264F5D23A989
                                                                                                                                                                                                                                        SHA1:629FA74C07E434EB53C3AD131FCE2A3D1E346C50
                                                                                                                                                                                                                                        SHA-256:40C6086F9C9F6260E2F619362763274F40020928504DB55B698C94780EDB988F
                                                                                                                                                                                                                                        SHA-512:C5F9B71A57E4EC6BD97D506511D07AE3D72F22C90701EE8B3EFE9174B1BF502CCEE2BF3259F8804812CF371BC4B60C0B2ED4D1FFB045134F5525F43B65B85C7E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............,... ...@....... ..............................`m....@..................................,..O....@...................=...`.......+............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H........A...............?..h...t+......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2r;..p.(....*2ro..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2rK..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2rM..

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Data.SQLite.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):371088
                                                                                                                                                                                                                                        Entropy (8bit):6.100579265594533
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:zruNWxFaLx73+nRo2GGmZ2CRGpAM3JUGuT5up6zOPLyU0SJFNFaFeFOFwcGF6cmN:ONWx6xz+nRo2GGWHQZMaLyJSJFNFaFeo
                                                                                                                                                                                                                                        MD5:D95ABA1163EAB473197BEFC866890898
                                                                                                                                                                                                                                        SHA1:5EB6EA9FC2B4BE4FBA4FA9A059082984E4248CA5
                                                                                                                                                                                                                                        SHA-256:EF678076BE4D842B1DC2442B315AF6BEAC1721FAE1CCCEDD8FF1DF3EE68FE6C0
                                                                                                                                                                                                                                        SHA-512:ED58C1837A6D89E776ED5E73B89F0C704080EC15D0BA736E1CB56E3C0F2522BE74C08F161248278FD6173A5C4AB593C8AC37E8254B5D3644C8949389D7D6FA4C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.].........." ..0..b..........j.... ........... ...............................4....`.....................................O.......$............l...=...........~............................................... ............... ..H............text....a... ...b.................. ..`.rsrc...$............d..............@..@.reloc...............j..............@..B................L.......H...............................`~......................................:.(:.....}....*..{....*:.(:.....}....*..{....*...0...........~;...}.....r...p}........(......~;...(<...,r.....s....}.......}............{............%......(=....%...:....%...!....%...%.........%....%.........s....(....*z.{....,......(=...o>...s?...z*..0..'........{....-..(......o........(A.....}.....*..................0..T........{....,K.{....o@....+...(A......(B.....,..o;.....(C...-...........oD.....{..

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Contracts.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):21392
                                                                                                                                                                                                                                        Entropy (8bit):6.966319362295687
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:URtRWjYW1rjb8vU8vMXa/rl9qX2Ip4qvYqjdAA1m5wM6guM9QnP:WisXuKrLy2Ip4Hqxf1ml67M9w
                                                                                                                                                                                                                                        MD5:34CFA8C573C1EA470560026710EA6FFC
                                                                                                                                                                                                                                        SHA1:C7FD9E26D72E8345067D4784F82DD15D42EE3F80
                                                                                                                                                                                                                                        SHA-256:A4D361BCC7BA73FE23FA08E981D17528ED73EC625C781E2801163547198F4121
                                                                                                                                                                                                                                        SHA-512:881655BB57683015EA055AA8BA3D5B077B3BCDD87BD5602B2494D26D8D8B4F7B6308F696FB1D846378664FBC93CD77A46E3AF25BE8F2662E0762012AEE6CD5E6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............*... ...@....... ..............................m$....@.................................x*..O....@..@................=...`......@)............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................*......H.......P ..p....................(......................................BSJB............v4.0.30319......l...@...#~..........#Strings....H.......#US.L.......#GUID...\.......#Blob......................3..................................................-.....-.........M...........[.................'.....@.................[.....*...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Debug.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20880
                                                                                                                                                                                                                                        Entropy (8bit):7.023074267535783
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:AeWnoWxrjb8vU8vMXa/rl9qX2Ip4dPTqjdAA1m5wM6gu6J9QnT:AnkXuKrLy2Ip4RTqxf1ml676J90
                                                                                                                                                                                                                                        MD5:FC37C04876E1F12EBC1E619D57B4BBEF
                                                                                                                                                                                                                                        SHA1:FF9D35A77F240135568FBBEABFCCF6C3F0B9BB1E
                                                                                                                                                                                                                                        SHA-256:88D49D1C2FB00066282CDB69C4805B738BB1BA020F2999592DAE1C3BC66C531D
                                                                                                                                                                                                                                        SHA-512:41D4769E07F05F62FC7FBAAA1DC71D2974B7F29FA03600BC121CFCDA8EA3828718D7E6655178ECF9F81AAFF454E9AB0BD5F16A23837EAD3E4004058457A6CC7B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ....................................@.................................X)..O....@..$................=...`...... (............................................... ............... ..H............text........ ...................... ..`.rsrc...$....@......................@..@.reloc.......`......................@..B.................)......H.......P ..P....................'......................................BSJB............v4.0.30319......l.......#~..X.......#Strings....,.......#US.0.......#GUID...@.......#Blob......................3......................................K.........]...........d.............o...".o...?.o.....o...}.o.....o.....o.....o.....h...-.o.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.5...K.U...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Diagnostics.FileVersionInfo.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20888
                                                                                                                                                                                                                                        Entropy (8bit):6.995134175407951
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:86oWJjWdrjb8vU8vMXa/rl9qX2Ip4KJcqjdAA1m5wMPhzmuf5KNNuq:86vNXuKrLy2Ip47qxf1mlZxf5Ka
                                                                                                                                                                                                                                        MD5:B3AD0DA51547FBEA474DE056E84108C2
                                                                                                                                                                                                                                        SHA1:16AE8400757F7F7328F7249A77DD28D54E00F85F
                                                                                                                                                                                                                                        SHA-256:C6DA8DB3C2E208BFC7DF14F5A1C1426C9928E45D76D1F8BAA7C3A359D4045DFC
                                                                                                                                                                                                                                        SHA-512:2CF87121E2B1AE732108FBAFED0E83BB1171EDCE5E7667C896C028822774025F2BF05CBF18AB73DFA6EBECF451A34A778888756C5F54BB28D8BD95ABF94FF14B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ....................................@.................................H(..O....@..p................=...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc...p....@......................@..@.reloc.......`......................@..B................|(......H.......P ..@....................&......................................BSJB............v4.0.30319......l...|...#~......(...#Strings............#US.........#GUID...$.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.$...C.?...K._...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Process.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):21392
                                                                                                                                                                                                                                        Entropy (8bit):6.942214081024221
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:5qk53/hW3fZ+zWubrjb8vU8vMXa/rl9qX2Ip4WAqjdAA1m5wM6guNN9Qnea:5qk53MKkXuKrLy2Ip4Rqxf1ml67NN9Pa
                                                                                                                                                                                                                                        MD5:4D3C931FFA7277A789F58554CFBD1511
                                                                                                                                                                                                                                        SHA1:F796017BC6AC4F4D43004404F447FD43AA3517AA
                                                                                                                                                                                                                                        SHA-256:069A97023E548DF8659DF030515EAE8F9892383C07DE753E9C6A76F1BE8CA5CA
                                                                                                                                                                                                                                        SHA-512:AC27E22C01DCB3C87F211EBE3B06176A19B9B52B7B4C5964A63459A40551D0C26E87A002499CEA8C57E4AC2DDD63779975BB72C3CDF67E782670E2148936684F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............**... ...@....... ..............................PC....@..................................)..O....@..0................=...`.......(............................................... ............... ..H............text...0.... ...................... ..`.rsrc...0....@......................@..@.reloc.......`......................@..B.................*......H.......P ...................... (......................................BSJB............v4.0.30319......l...$...#~..........#Strings............#US.........#GUID...........#Blob......................3............................................................j.q.........~.................}.....3.....L.................g.....P...................k.....k.....k...).k...1.k...9.k...A.k...I.k...Q.k...Y.k...a.k...i.k...q.k.......................#.....+.....3.....;.....C.7...K.W...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Diagnostics.StackTrace.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):23440
                                                                                                                                                                                                                                        Entropy (8bit):6.84611927746454
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:CFCc4Y4OJWfOWqWWOWdrjb8vU8vMXa/rl9qX2Ip4IgqjdAA1m5wM6gu19QndRq:CCcyCiXuKrLy2Ip4Zqxf1ml67198I
                                                                                                                                                                                                                                        MD5:09D245947B23635B3E3088E11A262F1A
                                                                                                                                                                                                                                        SHA1:7066B52CDB87AC95C93C6706F393CAAB5C0B0E3F
                                                                                                                                                                                                                                        SHA-256:D3743DB2CE42F6E392F0CDE12C0172DA2D46D929A21EA720BF68C9A70D4F902E
                                                                                                                                                                                                                                        SHA-512:7C788811F61C683538ABFCC9C2A0013F57B9950B52C78AA5671C20A521A1361C93BDFC15540D3C54756CB4F9FC8596F11DEAE632B9993C1456316355E3D9747C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0.............N.... ...@....... ..............................}.....@..................................-..O....@...................=...`......L-............................................... ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................0.......H........ ..4....................,......................................F.(....~....(....*6.o.....(....*6.o..........**.o.......*.~....*.~....*.BSJB............v4.0.30319......l.......#~..<.......#Strings.... .......#US.(.......#GUID...8.......#Blob...........GU.........3..................................................8.........*.h...m.h.....Z.....$...........Z...+.|.....Z...1.Z.....$.....$.......3.D.......|...F.|...c.|.....|.....|.....|.....|.....|.....Z...I.|...}.Z.....Z.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Diagnostics.TextWriterTraceListener.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20888
                                                                                                                                                                                                                                        Entropy (8bit):7.011163520729842
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:fAWxMWQrjb8vU8vMXa/rl9qX2Ip4y09qjdAA1m5wMPhzmufdKNN:fvPXuKrLy2Ip4B9qxf1mlZxfdK
                                                                                                                                                                                                                                        MD5:247F64E45CFCA574AC622BF1FD912F51
                                                                                                                                                                                                                                        SHA1:886C2898ECA59CF3B4942B55870FBED937C5A55A
                                                                                                                                                                                                                                        SHA-256:1D348DD1E5AF4630A35B87B7F41D72812950A88411863F12FC707244F26887CD
                                                                                                                                                                                                                                        SHA-512:5A562266716010AFA67105590942DC1BE8DFA8A23677DC2FCB809C98AC9CA8B9702E3BDE9871924927183FCA5DA38C501D1639B453C63B10AF22C1480A6D83C4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@...................=...`......L'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..|....................&......................................BSJB............v4.0.30319......l.......#~......P...#Strings....D.......#US.H.......#GUID...X...$...#Blob......................3......................................z...........!...\.!...0.....A.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.,...C.G...K.g...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Tools.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20880
                                                                                                                                                                                                                                        Entropy (8bit):6.998712661185082
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:gAlcWHaWdrjb8vU8vMXa/rl9qX2Ip4WgqjdAA1m5wM6guv9Qn2:h9uXuKrLy2Ip4Jqxf1ml67v9p
                                                                                                                                                                                                                                        MD5:6C706EC5B62AD8B3E47DF68FEC958CEF
                                                                                                                                                                                                                                        SHA1:6AAE4E8C9674B52D4291603534A9F29710ECB55A
                                                                                                                                                                                                                                        SHA-256:7D009E32173738F93293FD375D30D129EB5FD3AF275A04DCE6559C80F0F1FE01
                                                                                                                                                                                                                                        SHA-512:8695DFC3B5470ECCDA91E87A00AC948AA4404C052F6813172AE8E2EA9B3AD04A863242471E3283FF7576E95CC3AB0B2A0405159B5F91BAE0BE430D359CDCB4A6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@.. ................=...`......d'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......|...#Strings....p.......#US.t.......#GUID...........#Blob......................3............................................................`.....1.....t.................s.....).....B.................].........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.5...K.U...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Diagnostics.TraceSource.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):21392
                                                                                                                                                                                                                                        Entropy (8bit):6.945371086507728
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:BVIZnWlNWNrjb8vU8vMXa/rl9qX2Ip4w5dgqjdAA1m5wM6gu79Qn2/F:3UynXuKrLy2Ip4wPgqxf1ml6779/
                                                                                                                                                                                                                                        MD5:1F32BF55548FCEB79A90D4716D6D530D
                                                                                                                                                                                                                                        SHA1:F81D1A7D0537D0AF25543CFB3DA91ED6F9ADD575
                                                                                                                                                                                                                                        SHA-256:B77A306E1A43F751EDCBED58600CEE4C9E285B3413FC80EFE4CB54EFFC91E14A
                                                                                                                                                                                                                                        SHA-512:02AF1977B2044453D6654F796288A9AD7CC3173AC78ECD07D91810C5A9BCA100649821B7067E3E19DB6869320F5CF2C9507FCA2CFE369C71EE7E9300AC4C3C38
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............2*... ...@....... ..............................Z.....@..................................)..O....@..P................=...`.......(............................................... ............... ..H............text...8.... ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................*......H.......P ......................((......................................BSJB............v4.0.30319......l...\...#~..........#Strings............#US.........#GUID...........#Blob......................3............................................................t...................................=.....V.................q.....Z...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Tracing.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):31128
                                                                                                                                                                                                                                        Entropy (8bit):6.676640743414556
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:RQq33333333kX+TBi8XXuKrLy2Ip4t0qxf1mlZxf5KCe:ku1i8XXd/9tlfInf5
                                                                                                                                                                                                                                        MD5:7562A817D262C3FB28452E391297AE20
                                                                                                                                                                                                                                        SHA1:1DFAD47D483E3CD98F24F83B113A333B5EDCB011
                                                                                                                                                                                                                                        SHA-256:0FB8DBBEBD012F5BCD8EBDA5D045C452FFB3C1D342CE50A89BA54802A9FA9DAD
                                                                                                                                                                                                                                        SHA-512:F43DDE140C1A653EA77166B4378168E2A4920E4D0287438722EC30D851CE6686A1C290BAB7D8519E32F8B693323852D87B81694A9AECD8F86A6BC9EB499E2E72
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0.............RM... ...`....... ....................................@..................................L..O....`..x............<...=..........PL............................................... ............... ..H............text...X-... ...................... ..`.rsrc...x....`.......0..............@..@.reloc...............:..............@..B................3M......H.......8*...!...................K.......................................0..H........(.....-.r...ps....z.-.r...ps....z.(......}......(#...}.....{.....o....*"..(....*....0..Z.............%.r#..p.%..{.....%.rA..p.%..{..........%.rS..p.%..{....l.{....l[...ra..p(.....(....*&...{....*.0..4.................}......+....{.....".......X.....{.....i2.*.0..k..........{........{..........."....(.......X....{.....i.0%.(..........(.....(.......,..(........"....3.....}....*.......=..M......

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.DirectoryServices.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):115600
                                                                                                                                                                                                                                        Entropy (8bit):6.234761534021768
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:4781mqR5JriAGnUKh17T6glQ6xBIwNSsj:Cu5wAGnUM1ZzPIwNJ
                                                                                                                                                                                                                                        MD5:35E085F5DCC44F27570CAF9F4B372F2D
                                                                                                                                                                                                                                        SHA1:DF34CBD5979A4B0279B1DEFF3ABE996DCEE68196
                                                                                                                                                                                                                                        SHA-256:75825429A835DEF9354C094193D8E03FA0FF12AEB62360AE993F009D2BFD27BF
                                                                                                                                                                                                                                        SHA-512:1420DDEC5CA2F503598C95AD2EFC2C63840ECC0BC7493B15C02153942E221AFB93F13A6BEAAF95EBFAA12287A3C3AC547D5471CDDD33FD10478D705A254D377A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....W.........." ..0..|..........j.... .........c. ..............................F<....`.....................................O.......h................=........................................................... ............... ..H............text....{... ...|.................. ..`.rsrc...h............~..............@..@.reloc..............................@..B................L.......H........&...................j...................................................................0...........0...........0...........0...........0...........0...............0...........0...........0...........0...........0...........0...........0...........0...........0...........0...........0...........0...........0...........0...........0...........0...........0...........0...........0...........0...........0...........0...........0...........0...........0...........0......

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Drawing.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20888
                                                                                                                                                                                                                                        Entropy (8bit):6.997210223066651
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:728YFlXulWY/Wwrjb8vU8vMXa/rl9qX2Ip4JGqjdAA1m5wMPhzmufH7KNNi9b:70qGXuKrLy2Ip4JGqxf1mlZxfH7KW9b
                                                                                                                                                                                                                                        MD5:04C52E09DFACDBF8D03AEFFD8FB6F072
                                                                                                                                                                                                                                        SHA1:3508817E83D75A8A4379C5E3854E230E3D0A1FD7
                                                                                                                                                                                                                                        SHA-256:1591EB522D0982FD090F5B72D96B0D63B4CBF9A3D9CDEDE61F14DA0364926332
                                                                                                                                                                                                                                        SHA-512:817FFE1D2E12FB1D9E353474AF441F78051972FDB6D7CB2B123AF8713052ED8806685A2FC2D802C2AF0287A79C2EDCE64E81398AB37DAB9EFEBE9BF4DA07B55E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ..............................i.....@..................................(..O....@.. ................=...`......t'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~..,...P...#Strings....|.......#US.........#GUID...........#Blob......................3......................................................~.....R..... .....f.................e...........4.....}...........O.....8...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Dynamic.Runtime.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):21912
                                                                                                                                                                                                                                        Entropy (8bit):6.9037745457630395
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:cuMLcdQ5MW9MWJrjb8vU8vMXa/rl9qX2Ip4bS/9DqjdAA1m5wMPhzmufvMKNNB3:xOcSpwXuKrLy2Ip4IZqxf1mlZxfEKB
                                                                                                                                                                                                                                        MD5:2FC55CC9CB26334D4EB1441EAB78E4E8
                                                                                                                                                                                                                                        SHA1:8C8106FEE200FFE554EFB4F159C26486168FB10D
                                                                                                                                                                                                                                        SHA-256:1AC224F6985861D581D8F5D4716DBAA8870E9751BF32FBFF8AFFCA2074812E08
                                                                                                                                                                                                                                        SHA-512:1EA2D0F80355FD062EA85CFED8A3F17F68F43E7A2B521615CD7E34734A0E1D7459816EDCFD0597DAEFDFD3B5A51CB8728D14B5D3AEEF92D757DA710C744391FA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............,... ...@....... ..............................*.....@..................................+..O....@...................=...`.......*............................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H.......P .......................*......................................BSJB............v4.0.30319......l.......#~..p...0...#Strings............#US.........#GUID...........#Blob......................3................................................;.........................$.....$.....$.....$...[.$...t.$.....$.....$.........g.$.....#...........e.....e.....e...).e...1.e...9.e...A.e...I.e...Q.e...Y.e...a.e...i.e...q.e.......................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Globalization.Calendars.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):21400
                                                                                                                                                                                                                                        Entropy (8bit):6.9651362631451725
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:4Z7RqXWDRqlRqj0RqFWsrjb8vU8vMXa/rl9qX2Ip4wKqjdAA1m5wMPhzmuf1KNNU:c9qKqjqjuqQXuKrLy2Ip4Bqxf1mlZxfY
                                                                                                                                                                                                                                        MD5:3E0C6ADE3265FC465B1921C06663F315
                                                                                                                                                                                                                                        SHA1:B2382BF6ADFA65C3A0952AA9BE9A92653A3C1688
                                                                                                                                                                                                                                        SHA-256:CA190C4875B264AD27275243E2250D46FBC6650C61C3B9C6E7A53D27C39F58F0
                                                                                                                                                                                                                                        SHA-512:06899BA415C9906426BA7FF40AA10D933FF0381BB9AB69F1526A7A19E6FE6DFECADD4A27B31954797E95FA443E512ED812943D4D945E2E77DB63E28A4FE28569
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............*... ...@....... ....................................@.................................X*..O....@..P................=...`...... )............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................*......H.......P ..P....................(......................................BSJB............v4.0.30319......l...L...#~......l...#Strings....$.......#US.(.......#GUID...8.......#Blob......................3......................................z...............\.....0.....%.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Globalization.Extensions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25488
                                                                                                                                                                                                                                        Entropy (8bit):6.803634507686943
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:uvMhF2SzNzwu/NljuKXuKrLy2Ip4Z5qxf1ml67s9X:uvMhaKfXd/9Z2fIwsh
                                                                                                                                                                                                                                        MD5:54BA75DD3B87F2C17633455256089FB2
                                                                                                                                                                                                                                        SHA1:771B7B2CA69C6BDAAEDCA0599DF528ECC8B987E5
                                                                                                                                                                                                                                        SHA-256:75D401E02E8F82F0476C00C685F86FC5AF9501A383E1259F8962789C93E449A0
                                                                                                                                                                                                                                        SHA-512:C4F54A7F1F087BB716EE3C50871E90F1A58A372E9F93B072CD39FC953C15000D394C2F4B5C6292F45C63E549AB668557C9EE95FB1DB07B2A236EB8D99B41F016
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............6... ...@....... ....................................@.................................a6..O....@...............&...=...`.......5............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......$..............@..B.................6......H........"..H............4......(5........................................o....*"..o....*..o....*"..o....*j~....%-.&(....s....%.....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*......(....*...0..K........-.r1..ps....z. ...@3.(....*. ....3.(....*. ...._,.(....rI..ps..

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Globalization.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20888
                                                                                                                                                                                                                                        Entropy (8bit):7.026864594843848
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:mZ4RLWdRfRJ0RZWMrjb8vU8vMXa/rl9qX2Ip48qjdAA1m5wMPhzmufxKNNfXW8:mZK0pJu0XuKrLy2Ip48qxf1mlZxfxKbW
                                                                                                                                                                                                                                        MD5:F3FD5F9F2E7A49A361C194BF4FB2BD58
                                                                                                                                                                                                                                        SHA1:BD0CB55D4A2982CA839B3160ABBB74578397A9F8
                                                                                                                                                                                                                                        SHA-256:82F798BD69F613591DC76AFC8AEDDEBF01B346C00E3CF3136606B5C326CDD5F5
                                                                                                                                                                                                                                        SHA-512:4DFC1495350884CC3D711CDB14EE19959A60A022B8F17F0D2D2B1BF8393B1B609A419D84478FB37D034AE97806DDE5533E875A15AB8AB70A10EAEB6DC3699736
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ..............................#.....@..................................)..O....@...................=...`......h(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l...0...#~..........#Strings....x.......#US.|.......#GUID...........#Blob......................3......................................................m.....A.{.........U.................T...........#.....l...........>.....'...................u.....u.....u...).u...1.u...9.u...A.u...I.u...Q.u...Y.u...a.u...i.u...q.u.......................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.IO.Compression.ZipFile.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20888
                                                                                                                                                                                                                                        Entropy (8bit):6.951819730937382
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:AYWsmWlrjb8vU8vMXa/rl9qX2Ip4NqjdAA1m5wMPhzmufpKNN:A2iXuKrLy2Ip4Nqxf1mlZxfpK
                                                                                                                                                                                                                                        MD5:A9A00F18B05469C7117040668699F413
                                                                                                                                                                                                                                        SHA1:4829725A30D83E933A7C543366FD4912C2940C65
                                                                                                                                                                                                                                        SHA-256:19D09558EF2E73E19749468320AC295D49087B881F6F5687B92423C2B7397311
                                                                                                                                                                                                                                        SHA-512:2E227DAC4803B93217002F7EDDBD5DA5E9EBD46A2134D6C5C256EA261345EF8AA4D6A9ECEF839FFDD1C18884D461E8AB851F4F5AD1AC82312CAB3B068C7CEB05
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............*(... ...@....... ...............................K....@..................................'..O....@..@................=...`.......&............................................... ............... ..H............text...0.... ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................(......H.......P ...................... &......................................BSJB............v4.0.30319......l.......#~......D...#Strings....8.......#US.<.......#GUID...L.......#Blob......................3......................................................z.....N.....".....b.................a...........0.....y...........K.....4...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........:.....C.....b...#.k...+.k...3.k...;.....C.....K.....S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.IO.Compression.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):110488
                                                                                                                                                                                                                                        Entropy (8bit):6.446596598395372
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:evc/U5yNq2oS4Zd0LE3YigSFvhoZO2K3aAYH2TfXmNoJXoXd/9JfInfRx:ygk1tiLMYiDFvxqrWDWNoJXJL
                                                                                                                                                                                                                                        MD5:350E0C75CCCBE97C73CEE5D6D6FA5FF3
                                                                                                                                                                                                                                        SHA1:FA5668A325E7CE649A2FE16EED3CD835AEFD12C5
                                                                                                                                                                                                                                        SHA-256:8CB6E5B8C4962523AF0CAB6047E13BBD0986BA5E1A53FB42F18551A084F1E139
                                                                                                                                                                                                                                        SHA-512:5D7452D3EBDA221AD6DC8A40B34EB2E56D37F4D6EDB7A872C20A46D0289143E17F8AFD7C89E01FBB38E4D7DA6A09B01CDAF7C8838B5696326A6C44FA07410485
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..d...........W... ........... ....................................@.................................5W..O....................r...=...........V............................................... ............... ..H............text....b... ...d.................. ..`.rsrc................f..............@..@.reloc...............p..............@..B................iW......H........................9.......V......................................j~....%-.&(I...s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2r7..p.(....*2rs..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2r=..p.(....*2r_..p.(....*2r...p.(....*2r...p.(....*2r...

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.IO.FileSystem.DriveInfo.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20888
                                                                                                                                                                                                                                        Entropy (8bit):6.997525558964914
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:wKcuz1W1cWsrjb8vU8vMXa/rl9qX2Ip4tqjdAA1m5wMPhzmufYKNNy5:Au8nXuKrLy2Ip4tqxf1mlZxfYK+
                                                                                                                                                                                                                                        MD5:103EDADC4946F398FCBC4B53963AFD03
                                                                                                                                                                                                                                        SHA1:67459CD9720F5B54AABED1269A273D622D4DCE9F
                                                                                                                                                                                                                                        SHA-256:357A58E75867D87324FBA28874DBF6F71F4687730A96FA70C866AD3A56F2FDE9
                                                                                                                                                                                                                                        SHA-512:819F3293EAD5D8275C0902B24C4EDD60351D342A86960EBD4526693D16E3BB2BE1B8B6FBCB872D4C8E426A9853A05E3D517A451C556F574C6E3ECA5F0A04E67F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ..............................m.....@..................................(..O....@..P................=...`......H'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P ..x....................&......................................BSJB............v4.0.30319......l.......#~......H...#Strings....L.......#US.P.......#GUID...`.......#Blob......................3......................................................p.....D.....9.....X.................W...........&.....o...........A.....*...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.IO.FileSystem.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20880
                                                                                                                                                                                                                                        Entropy (8bit):7.006648212740362
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:J+SWikWWrjb8vU8vMXa/rl9qX2Ip4+aqjdAA1m5wM6gu79QnR9:J+epXuKrLy2Ip4+aqxf1ml6779k
                                                                                                                                                                                                                                        MD5:71FD1C542DD0BDD60253CFE3BE7821EB
                                                                                                                                                                                                                                        SHA1:B91A1DE710C926F335175AB65056C201A83FDB34
                                                                                                                                                                                                                                        SHA-256:691AFA1BD580160017483A3798691DBFE6D9B1B5D25711F4F5EBAD9FC7739AF7
                                                                                                                                                                                                                                        SHA-512:A47E6144B296D16DCD02DE03AC8131201937FB02D6FB6C57D062A2E02BD729225EE4353743620D7CFBE65F64BD1C9825FA96975482DAB32F7DA4FB169BBE618E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@..P................=...`......d'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......X...#Strings....h.......#US.l.......#GUID...|.......#Blob......................3......................................................y.....M...........a.................`.........../.....x...........J.....3...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.IO.FileSystem.Watcher.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20888
                                                                                                                                                                                                                                        Entropy (8bit):7.033359063821397
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:VAWzgWrxrjb8vU8vMXa/rl9qX2Ip4YTyVqjdAA1m5wMPhzmuf0KNN1:VtsXuKrLy2Ip4jqxf1mlZxf0K
                                                                                                                                                                                                                                        MD5:26662A82F64933F65B670926B79651EF
                                                                                                                                                                                                                                        SHA1:93E649AE6E00CC67BBBA019A6CAC2943A498FF09
                                                                                                                                                                                                                                        SHA-256:16322E2DC66CC9C1609973C027415DDD32D654CACEB66D31EC143874C9BAAAB4
                                                                                                                                                                                                                                        SHA-512:CEEF52695A10BF3EE7865A41F7B32CD128483320D82473AB04F3CAFA52CA7EAA2C94FAE9B47AF7D6CB0E460206A640B39E2DABD5F6799CB2C3A9F77B2769D12A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ..............................QC....@.................................p)..O....@..@................=...`......8(............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................)......H.......P ..h....................'......................................BSJB............v4.0.30319......l.......#~..d.......#Strings....@.......#US.D.......#GUID...T.......#Blob......................3..................................................C...f.C...:.0...c.....N.................M.................e...........7..... ...................*.....*.....*...).*...1.*...9.*...A.*...I.*...Q.*...Y.*...a.*...i.*...q.*.......................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.IO.FileSystem.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20888
                                                                                                                                                                                                                                        Entropy (8bit):7.003613450362873
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:zBLRWbYWfrjb8vU8vMXa/rl9qX2Ip4zaqjdAA1m5wMPhzmufPKNNDL:zB2OXuKrLy2Ip4zaqxf1mlZxfPKL
                                                                                                                                                                                                                                        MD5:B8F83C3FA77FE36CCC0382D553D250FD
                                                                                                                                                                                                                                        SHA1:4FCF512673531121F56A85368A19B5A8F845DF60
                                                                                                                                                                                                                                        SHA-256:AA6EA0A4D40BED81695BBC293F0D366060CF8C62675BD1AC4827CCC83EB60A35
                                                                                                                                                                                                                                        SHA-512:1F9A0E1BAA40ADC2140188829DF859835E4EB461E0CEF710BE3D402E38C7AEE3650904241F929DB5EF72F742F4E715521AFD67234DAC546710A34B84BFF2257C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............b)... ...@....... ...................................@..................................)..O....@...................=...`.......'............................................... ............... ..H............text...h.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................D)......H.......P ......................X'......................................BSJB............v4.0.30319......l.......#~..X.......#Strings............#US.........#GUID...........#Blob......................3................................................../...z./...N.....O.....b.................a...........0.....y...........K.....4...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.IO.IsolatedStorage.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20888
                                                                                                                                                                                                                                        Entropy (8bit):6.994555816607399
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:kHW4/W/+rjb8vU8vMXa/rl9qX2Ip4Av/qjdAA1m5wMPhzmufbKNNXEf:kraDXuKrLy2Ip4Av/qxf1mlZxfbK
                                                                                                                                                                                                                                        MD5:E1A02445BF15638444B023FB8307CC27
                                                                                                                                                                                                                                        SHA1:CB1D37F5357AAF5D6384989042CFB4770F4B88A5
                                                                                                                                                                                                                                        SHA-256:6D672962F0A3DE78F53BEA6F46F52B6567DC0B66FA30C3434CCB01601F4F62CA
                                                                                                                                                                                                                                        SHA-512:CB5913D70B4F4F66F0824A268BA50FD9F0EFCAA3BF5A611A27AF0B9CB084152FA7F84BB51FF591F488AC15B864A00F4A9F3F2086EC1B4790F4B84DC58CEAFF00
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ..............................2(....@..................................(..O....@.. ................=...`......X'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......\...#Strings....`.......#US.d.......#GUID...t.......#Blob......................3..................................................+.....+...^.....K.....r.................q.....'.....@.................[.....D...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.IO.MemoryMappedFiles.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20880
                                                                                                                                                                                                                                        Entropy (8bit):7.03819685422154
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:4vk7hWmCWprjb8vU8vMXa/rl9qX2Ip4+qjdAA1m5wM6guR9Qnc:4s7/6XuKrLy2Ip4+qxf1ml67R97
                                                                                                                                                                                                                                        MD5:B85E09D2D2E7680EF0E4A2CD25BC42A7
                                                                                                                                                                                                                                        SHA1:3668ADEDFBA3DB9C0DFBB89BBC6A59484DB6F514
                                                                                                                                                                                                                                        SHA-256:8A4C3C55BD760C3A18A4C18524F1792CA4FF4CA7E15DF2BBEB1C5ED98ACD3661
                                                                                                                                                                                                                                        SHA-512:C8A51E72AB3562CAFD2F6CB476C0645E367FA4BC1283D8831ADF73962C253C1A67575AF5A4F3E3F9B78BFB09D9CDD0B4B7D62468387C1EF8CC9E7E70FA6A22AE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ..............................,^....@.................................h)..O....@..0................=...`......0(............................................... ............... ..H............text........ ...................... ..`.rsrc...0....@......................@..@.reloc.......`......................@..B.................)......H.......P ..`....................'......................................BSJB............v4.0.30319......l.......#~..H.......#Strings....8.......#US.<.......#GUID...L.......#Blob......................3................................................ .C.....C...w.0...c.............................@.....Y.................t.....]...................*.....*.....*...).*...1.*...9.*...A.*...I.*...Q.*...Y.*...a.*...i.*...q.*.......................#.....+.....3.....;.....C.8...K.X...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.IO.Pipes.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20888
                                                                                                                                                                                                                                        Entropy (8bit):7.008057929164899
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:fGMWCUWOrjb8vU8vMXa/rl9qX2Ip4JPqjdAA1m5wMPhzmufNKNNOW:f3JXuKrLy2Ip45qxf1mlZxfNKq
                                                                                                                                                                                                                                        MD5:203D58799CA2BBBAA31E7E24A0B7DE90
                                                                                                                                                                                                                                        SHA1:59313DAB95F7A7E24F38F8FF7E0599FDFC2DE388
                                                                                                                                                                                                                                        SHA-256:D72FE4D4636286C97E19E838D8EDC6E73B0369485BF9E31B651D299E442C0AE0
                                                                                                                                                                                                                                        SHA-512:E124F6CF2AC45905B09E5667DA2B7435A4DA9B474C47881E2610924B1B853DF2A30B8A9D94016FAC165367C4F3AF17730B94A51B3EF54A164E4C8CCE40BC2553
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ............................../.....@.................................@)..O....@...................=...`.......(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................t)......H.......P ..8....................'......................................BSJB............v4.0.30319......l.......#~..X.......#Strings............#US. .......#GUID...0.......#Blob......................3..................................................].....]...T.J...}.....h.$.....$.....$...g.$.....$...6.$.....$.....$...Q.....:.$.................D.....D.....D...).D...1.D...9.D...A.D...I.D...Q.D...Y.D...a.D...i.D...q.D.......................#.....+.....3.....;.....C.,...K.L...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.IO.UnmanagedMemoryStream.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20888
                                                                                                                                                                                                                                        Entropy (8bit):6.9981638679653315
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:GBhwI7WSQWzrjb8vU8vMXa/rl9qX2Ip4QWqjdAA1m5wMPhzmufRKNN:GDwIByXuKrLy2Ip4QWqxf1mlZxfRK
                                                                                                                                                                                                                                        MD5:D3629D4CFBC9C8D017C11D991DBF52DD
                                                                                                                                                                                                                                        SHA1:DD7B325E1C34AE484B34CBCA05316A611FD2A5D3
                                                                                                                                                                                                                                        SHA-256:C530156FE29041426A8AD6158F1B3E50C642317C6F2CDEDAA178B12301847F04
                                                                                                                                                                                                                                        SHA-512:C3AB221AAA73525BD214153E353CD2CCF369918A7B0D849A71F23DD5AE0C1032C6E27DD522E0FEAB75B43EFC22336BB365EA26012BADFCBB7557CDE263E305CC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ...............................\....@.................................l(..O....@..P................=...`......4'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P ..d....................&......................................BSJB............v4.0.30319......l.......#~......D...#Strings....8.......#US.<.......#GUID...L.......#Blob......................3......................................................f.....:.....2.....N.................M.................e...........7..... ...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.IO.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20888
                                                                                                                                                                                                                                        Entropy (8bit):7.007583080450434
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:IyvPRW4lWerjb8vU8vMXa/rl9qX2Ip4JqsqjdAA1m5wMPhzmufFKNN0:p39mXuKrLy2Ip4Qsqxf1mlZxfFKA
                                                                                                                                                                                                                                        MD5:60F24564F5CF1617B0D548071C359595
                                                                                                                                                                                                                                        SHA1:15749A83FE3B0339BC0A122BCF5A5C57BDD64484
                                                                                                                                                                                                                                        SHA-256:48A3C7953C8A4372411E6708A359FB609E3AD8AFA8DF06E959034C9BB86E2C78
                                                                                                                                                                                                                                        SHA-512:BE0CE99A832E9C187E7EDB920B9839E4598A21F7C19DDAF927A554C87661E9F94DDBD681E7113A262B0398900435117AF3ECB7D0B0FF1C18E1179A044F63D46F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ....................................@..................................)..O....@...................=...`......l(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l...L...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................................f.....:...........N.................M.................e...........7..... ...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.&...K.F...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Linq.Expressions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):21912
                                                                                                                                                                                                                                        Entropy (8bit):6.960320105425737
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Z6RW6eW/rjb8vU8vMXa/rl9qX2Ip4TUoqjdAA1m5wMPhzmufzKNNEUC:Z674XuKrLy2Ip4Tnqxf1mlZxfzKwU
                                                                                                                                                                                                                                        MD5:26BACE058465FA382D19E8F0834041E8
                                                                                                                                                                                                                                        SHA1:F24D110FD20D232F37AE11E46D2BEAB05D90B891
                                                                                                                                                                                                                                        SHA-256:06B3638A329677C07EAF094515D4AAC6D8F6789716BA81908242421DC6962123
                                                                                                                                                                                                                                        SHA-512:6A0002F3CD6DC6C50A2A4876436DA354968430938DE0FFF8FF10AF7DD7A2C722406807CB3685EC6CACB371EEC1ECD3DE51B95EFD5ED02DBA74288BC5C0313F0B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............-... ...@....... ....................................@..................................-..O....@...................=...`......P,............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H.......P .......................+......................................BSJB............v4.0.30319......l.......#~..\.......#Strings....\.......#US.`.......#GUID...p.......#Blob......................3......................................5.........c.............z...............(.....E.....................................Q.........../...........b.....b.....b...).b...1.b...9.b...A.b...I.b...Q.b...Y.b...a.b...i.b...q.b.......................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Linq.Parallel.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20880
                                                                                                                                                                                                                                        Entropy (8bit):7.000838154202714
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:wSUP9W70WVrjb8vU8vMXa/rl9qX2Ip40NqjdAA1m5wM6gum9QnXCjB:VUegXuKrLy2Ip40Nqxf1ml67m9kCF
                                                                                                                                                                                                                                        MD5:DA2F39EBEA5C12F119098E397BF9C631
                                                                                                                                                                                                                                        SHA1:D9AA672FD46EC0DDB8CEFBB131B57539F33F3633
                                                                                                                                                                                                                                        SHA-256:76CDC708202E8EBD871D84CC5A687C99E471A5554B3593A49560B494C5C7DA50
                                                                                                                                                                                                                                        SHA-512:A53F8AB4CADCD522436BDF2208380D77AC260927A22E3D4167D26EA949CD04B42148A1A7C8EFA829600D95165EF23A95342ECC8D94CD355784FCEA2BD7C6FA43
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ...................................@..................................(..O....@...................=...`.......'............................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..,...x...#Strings............#US.........#GUID...........#Blob......................3..................................................&.....&...p.....F.............................9.....R.................m.....V...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Linq.Queryable.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20888
                                                                                                                                                                                                                                        Entropy (8bit):6.994695936763323
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:O8yg07W0/W7rjb8vU8vMXa/rl9qX2Ip4G8qjdAA1m5wMPhzmufZKNN:OBHTXuKrLy2Ip4G8qxf1mlZxfZK
                                                                                                                                                                                                                                        MD5:C83FCB3EDF29159C659D3FFB80BFFB86
                                                                                                                                                                                                                                        SHA1:4951763CA6805CFC9338F80493EBA2C3BAD2EB16
                                                                                                                                                                                                                                        SHA-256:0CF10D9D9AF79DA224CA2AD7ACB62A2D26F25FE790D879E0D26D4028BE885A10
                                                                                                                                                                                                                                        SHA-512:F9E7BF41C3E40A19AB7D8DA0B1083134020D3EACC585411B09E13108985808E81C6225480FCD53846C4D3B82E92FD57DA86F8E458CDD1BA0CD1626C526863F59
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ..............................Hh....@..................................(..O....@...................=...`......x'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~.. ...d...#Strings............#US.........#GUID...........#Blob......................3.................................................."....."...m.....B.............................6.....O.................j.....S.......(...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.2...K.R...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Linq.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20880
                                                                                                                                                                                                                                        Entropy (8bit):6.973632806405112
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:pe1WmRW0rjb8vU8vMXa/rl9qX2Ip4OrdqjdAA1m5wMPhzmuf6KNNra:pejAXuKrLy2Ip4kqxf1mlZxf6KS
                                                                                                                                                                                                                                        MD5:F0FAFD1403270B32A642AE6FB61AB301
                                                                                                                                                                                                                                        SHA1:B7D8643EE8988DD64D66F57398D292F67DF98AB6
                                                                                                                                                                                                                                        SHA-256:CD6F157F4DABD50A4ABB1F986D7D543EFC3066667A032FAEF71544DBE0FCBA92
                                                                                                                                                                                                                                        SHA-512:96554AC18C0EF88702355DBA596F887DDA4D1FD6FEAE727455F908E5212D8F8B625DF900D3284ACDBCC52048FECD5198B02DCE253DF5D0B5E7F462B21DE8AD35
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ....................................@.................................p(..O....@...................=...`......8'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..h....................&......................................BSJB............v4.0.30319......l.......#~.. ...0...#Strings....P.......#US.T.......#GUID...d.......#Blob......................3............................................................f...........z.................y...../.....H.................c.....L.......,...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.(...K.H...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Net.Http.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):198032
                                                                                                                                                                                                                                        Entropy (8bit):6.162277376255732
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:6eruQlNGOhYq0AQcTvankc+8lbKta4FUPAT8xpRI454I/Kv6RpZ8dwPSgXY:7W60VcTvakcXcApOz
                                                                                                                                                                                                                                        MD5:8AAFFE537F6B9A0560A27F9BD548DFA2
                                                                                                                                                                                                                                        SHA1:06AB3E6125707F4EBFAA9C56192EFC51FFAB7C88
                                                                                                                                                                                                                                        SHA-256:7C94B2BA7BF96322BC0603A9FDEEF31286255AEF28BC0FA6183E4BE65159D5EF
                                                                                                                                                                                                                                        SHA-512:FA74208EC5618E6366F85F5CB6105FCE1BB06FDA0AD1D0A0A2EAE09C9D735AF54F094BE510D2627D05B53AEEB48A3838F4D0E37B2AF2F831E388E81FE6607024
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0.................. ........... ....................... ............@.....................................O.......h................=........................................................... ............... ..H............text...D.... ...................... ..`.rsrc...h...........................@..@.reloc..............................@..B........................H........$..H...........$....,...........................................0..,........ ....1.r...ps0...z.............(.....s1...*.0..l........J.2..J.o2...2.r...ps0...z..Jo3....%36.o2....JY.2*..J.Xo3.....J.Xo3...(...... ........J.XT.*...J...XT.o3...*..o2....Y./..*..o3....%3 ...Xo3......Xo3...(.... .......*.*..0..=..........J...XT..%....J...XT.~..... ...._.c.....J...XT.~......._..*....0............02...91...A2...F1...a2...f1. ....*..91...F1...aY+...AY..X+...0Y...02...91...A2...F

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Net.NameResolution.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20888
                                                                                                                                                                                                                                        Entropy (8bit):6.984632406517428
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:J6ZWYLWYrjb8vU8vMXa/rl9qX2Ip4OvqjdAA1m5wMPhzmufJKNN7Et:J6lqXuKrLy2Ip4Ovqxf1mlZxfJK4
                                                                                                                                                                                                                                        MD5:3EC1EBC7B65D622FA955164D88345197
                                                                                                                                                                                                                                        SHA1:2A5D766BCD18A15AADEDAB72E18781B3E415C3FF
                                                                                                                                                                                                                                        SHA-256:183114742682A2026BD7D8B3081210C0E60C0002E2662C23501DA59884BABD47
                                                                                                                                                                                                                                        SHA-512:875C8BD7A4E9BF6244C07DFE3D50D2C4F3C1D16C016C35D500B61592A0BCFFFA48BAD3741D0BB869C6806CE2A2C7A1B546FE8C508AC080FA7FF9522979187CBB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ...............................'....@.................................T(..O....@.. ................=...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P ..L....................&......................................BSJB............v4.0.30319......l.......#~......0...#Strings....$.......#US.(.......#GUID...8.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Net.NetworkInformation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):21912
                                                                                                                                                                                                                                        Entropy (8bit):6.943638521195965
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:11W1WMQWNrjb8vU8vMXa/rl9qX2Ip4xqjdAA1m5wMPhzmufgDyKNNo:61UXuKrLy2Ip4xqxf1mlZxfgDyK0
                                                                                                                                                                                                                                        MD5:B21920D5C8BE34A5B5174C0146CFBF2D
                                                                                                                                                                                                                                        SHA1:EA1A21E4B0AC17656CB513EAC8438A80D6AB4CF3
                                                                                                                                                                                                                                        SHA-256:4B493926117888FCD5CD9DCF885A6D3BA1E789A6F60C317D0ADC854E6EBB84A3
                                                                                                                                                                                                                                        SHA-512:FA50FE27CB450DF9820FD58BD5F51C1BFB48A37B0BEF0CFF8A66D13BC5FDD603AD2567772738286EFC01A5DD6BEFA5F3209A5811FA07B3B734DE8FB3FA1648B7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............,... ...@....... ...............................b....@..................................,..O....@..@................=...`......p+............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................,......H.......P .......................*......................................BSJB............v4.0.30319......l...<...#~..........#Strings....t.......#US.x.......#GUID...........#Blob......................3................................!...............E.................%.................'...........e.....~...........................................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.:...K.Z...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Net.Ping.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20880
                                                                                                                                                                                                                                        Entropy (8bit):6.987044402084381
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:OdSWSKWJrjb8vU8vMXa/rl9qX2Ip4h9WNQqjdAA1m5wM6guji9QnOib:gOiXuKrLy2Ip4h9sQqxf1ml67ji9Rib
                                                                                                                                                                                                                                        MD5:04D1FBDABE4031C41C78561299A7ACB8
                                                                                                                                                                                                                                        SHA1:42214F33CD43F81928B14D77A21DE6DF5130D6D4
                                                                                                                                                                                                                                        SHA-256:9CA5E37A30FB7854884D9DCC8CBF335A67BE5461676149620FE519F264201CFB
                                                                                                                                                                                                                                        SHA-512:C0EFC249A1D2549E35D73966FC863F7D7B7D44B7CF683F00B61484BF0BFE97D054AF60448427D9EAB9601056CC455116651BBF8DB1674EAD53916137A1D4C818
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@...................=...`......X'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~.. ...L...#Strings....l.......#US.p.......#GUID...........#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.,...K.L...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Net.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):21904
                                                                                                                                                                                                                                        Entropy (8bit):6.91840497899968
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:TJEYA2WkIWVrjb8vU8vMXa/rl9qX2Ip4cmqjdAA1m5wM6guj/9QnQ46:TyYA8wXuKrLy2Ip4cmqxf1ml67j/9n46
                                                                                                                                                                                                                                        MD5:8173CE565271ABE14CF8F5360241ACA9
                                                                                                                                                                                                                                        SHA1:18C3752781DE815AD211724277C2FE3E3344514B
                                                                                                                                                                                                                                        SHA-256:D0D42D5912BB949C303D6B4DD891356810567890D028A5AA79BBA70464DBDA6A
                                                                                                                                                                                                                                        SHA-512:5E03654977B762393BD597C89E728B32D011E5D944C69BDDD6D9C70B80A227BD1E5068CE844168C6A1D5BC1A600D8727DF21473D1C5FB8D8BD15F51DECDB0BD5
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............r,... ...@....... ..............................I^....@................................. ,..O....@...................=...`.......*............................................... ............... ..H............text...x.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................T,......H.......P ......................h*......................................BSJB............v4.0.30319......l.......#~..|...x...#Strings............#US.........#GUID...........#Blob......................3......................................$.........N.U.....U.....-...u.................0...........n.........................>.......................'.....'.....'...).'...1.'...9.'...A.'...I.'...Q.'...Y.'...a.'...i.'...q.'.......................#.....+.....3.....;.....C.2...K.R...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Net.Requests.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20880
                                                                                                                                                                                                                                        Entropy (8bit):7.0151546883891625
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:DJGWe4WKrjb8vU8vMXa/rl9qX2Ip4UdqjdAA1m5wM6gujy9Qn+I:9mRXuKrLy2Ip4Udqxf1ml67jy9XI
                                                                                                                                                                                                                                        MD5:170279AD91683FCDC34C06433714AAD8
                                                                                                                                                                                                                                        SHA1:FA70C2069EED8F433DC644B13945C5AAC83E8FC9
                                                                                                                                                                                                                                        SHA-256:C7E2D7DEC468FC5BD8C015299C2F7DCCFE224C31C2B129B59215E2B4CBBA362E
                                                                                                                                                                                                                                        SHA-512:724066CDCCF8AC5C23EBA0B72C98E65A3FF7C10D421C3211C8FB9AFB4B3F1CF92F8A313A8C6A04DE21914CCD0D24E4242EF8DA06FF183F6DE13D4CAF35C126C5
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ....................................@.................................0)..O....@...................=...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................d)......H.......P ..(...................x'......................................BSJB............v4.0.30319......l.......#~..d.......#Strings............#US.........#GUID...........#Blob......................3..................................................4...~.4...R.!...T.....f.................e...........4.....}...........O.....8...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.0...K.P...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Net.Security.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):21400
                                                                                                                                                                                                                                        Entropy (8bit):6.9470825449590246
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:6dW1w3WesWIrjb8vU8vMXa/rl9qX2Ip4p2qjdAA1m5wMPhzmuf0XKNNi:v1wxzXuKrLy2Ip4p2qxf1mlZxf0XKW
                                                                                                                                                                                                                                        MD5:B0542ECBAEF709A894E60C0BE484F735
                                                                                                                                                                                                                                        SHA1:104248A3440E7556911F55FE1035D206788F9211
                                                                                                                                                                                                                                        SHA-256:14B013774922B75CEBADA80C13669CB5E3016F68E67939BEAFF1267E1FC846CA
                                                                                                                                                                                                                                        SHA-512:AF70D37249FDFDC5AB69B26231D7F433DE4DFB0E166B79213E89B7168308B7F498768722CD1CE8B31CDED110EE489BF24D3CC312964A8E98C6D856CF5143694C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............~*... ...@....... ...............................^....@.................................,*..O....@...................=...`.......(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................`*......H.......P ..$...................t(......................................BSJB............v4.0.30319......l...$...#~......t...#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0...........D.<.....<.....<...C.<.....<.....<...[.<...x.<...-.......<.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.0...K.P...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Net.Sockets.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):30096
                                                                                                                                                                                                                                        Entropy (8bit):6.758661281128326
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:Eyp12Bhkg3qnV/sp1XuKrLy2Ip4nRKqxf1ml67jm9c:n12zkg3qV/sp1Xd/9nR3fIwjmm
                                                                                                                                                                                                                                        MD5:466C01EF08D368E9A8F94ABBE1155FD8
                                                                                                                                                                                                                                        SHA1:1D3A324FC8078D6B7EAF1084E0F3EE64CD90B0F9
                                                                                                                                                                                                                                        SHA-256:8FE89ACDBB9C7ED6E37A37252FC27E7C4B52D4033F190F130ECE8684DFECA6D7
                                                                                                                                                                                                                                        SHA-512:431E085F8D1C0A25BF6AAA0A922C41DD6F3BB89B71C7D312D7344282281005262C912271D3DB720418419524757F0DDCF0DC9951666C8CCB7DA9A858E7AE178D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..*...........I... ...`....... ..............................Nn....@.................................gI..O....`...............8...=...........H............................................... ............... ..H............text....)... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............6..............@..B.................I......H.......H(... ..................HH.......................................0..J.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%......o....*...0..L.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%........o...+*.0..K.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%.......o...+*..0..L.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%........o...+*.0..L.......(....~....%-.&~..........s....%.....~....%-.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Net.WebHeaderCollection.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20880
                                                                                                                                                                                                                                        Entropy (8bit):7.0003895804364005
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:6HPAW1bWjrjb8vU8vMXa/rl9qX2Ip4cQJunqjdAA1m5wM6gujM9QnOH:irDXuKrLy2Ip4enqxf1ml67jM9L
                                                                                                                                                                                                                                        MD5:9506ECFAABFC8B08400F3D146E7C777E
                                                                                                                                                                                                                                        SHA1:41D3BE99F405B0E7292C7E83DF85741154D89898
                                                                                                                                                                                                                                        SHA-256:C7EC94DD26FCF6D0277DF4E27BAD7BF2357FBCF5580C90B1404123F9B41EEA0A
                                                                                                                                                                                                                                        SHA-512:0FBD3AF34744BE67A184F1EA0CEA12F8039C439F2AC6ADC12054315DEBCBFD9CE42A79403AFE74255446AB1D6521D340C7B1AAC40520689F7C1301591969D3FA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@..P................=...`......P'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......P...#Strings....T.......#US.X.......#GUID...h.......#Blob......................3......................................z...............\.....0.....3.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Net.WebSockets.Client.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20880
                                                                                                                                                                                                                                        Entropy (8bit):6.995533569041228
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:9NoqWD7WMrjb8vU8vMXa/rl9qX2Ip463FqjdAA1m5wM6guj/9QnZ6:9NofyXuKrLy2Ip4uFqxf1ml67j/9f
                                                                                                                                                                                                                                        MD5:365505A8F104FFE56153ABD1C30E79EC
                                                                                                                                                                                                                                        SHA1:8419BA28109A8F089BF1D28F227643E1443D22D5
                                                                                                                                                                                                                                        SHA-256:156397631044EAB67CDCFE8FCF3BA81C008EAF29C5EA975C0FC0362C5F25001E
                                                                                                                                                                                                                                        SHA-512:11B68F266538C6704E66815C15FE9521290166DEA38FA032A1E93B4876DDED8726606B54C17F917FFBEB5CFD46D9AB85FA7160306A6D88060C2D9568ED644A14
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ....................................@.................................|(..O....@..@................=...`......D'............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................(......H.......P ..t....................&......................................BSJB............v4.0.30319......l.......#~......X...#Strings....L.......#US.P.......#GUID...`.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Net.WebSockets.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20880
                                                                                                                                                                                                                                        Entropy (8bit):7.005845929780423
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:xGETSAWUEWIrjb8vU8vMXa/rl9qX2Ip40PVqjdAA1m5wM6guj79QnfONt:FT1HXuKrLy2Ip4qVqxf1ml67j79iq
                                                                                                                                                                                                                                        MD5:19F7753BD23BF3123F3C20873B29FCB2
                                                                                                                                                                                                                                        SHA1:56B28F1213C1DD31F7128AC6EE37A356D243E570
                                                                                                                                                                                                                                        SHA-256:6F7F6F7C7973D6C6D71758210DAA247D263E30B7646C9D9DD3D006DA33A1EC11
                                                                                                                                                                                                                                        SHA-512:963E2A093AA52805B61AB0B27C68AFD9494D7B5DBF2B698F94E339A7278A46ECEF93D9BC5C9A65D81D6A213994D3D4AD561F25594A49C3733C64CD87CF0E7FBD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............B)... ...@....... ...............................,....@..................................(..O....@...................=...`.......'............................................... ............... ..H............text...H.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................$)......H.......P ......................8'......................................BSJB............v4.0.30319......l.......#~..<.......#Strings............#US.........#GUID...........#Blob......................3............................................................T.....,.....h.................g...........6.................Q.....:...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.2...K.R...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.ObjectModel.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):21400
                                                                                                                                                                                                                                        Entropy (8bit):6.983571026147883
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:ycDagtDApWSKJW1rjb8vU8vMXa/rl9qX2Ip4EqjdAA1m5wMPhzmufOKNN:yPKBDXuKrLy2Ip4Eqxf1mlZxfOK
                                                                                                                                                                                                                                        MD5:4EA82A69985A43DD5082ADCAB5ED66D0
                                                                                                                                                                                                                                        SHA1:92E6866FD64071400ABAF839B18D5344B8CCA603
                                                                                                                                                                                                                                        SHA-256:092CF41EADD6E91D57C8B6D73A060395F9D908202D22C2B44D87EEB3F0B789C1
                                                                                                                                                                                                                                        SHA-512:075217F6A7CFB02EB1765DCF63CFB3A67A731E82E3876F5C44E21F8C05CF8A814DBA5EB600C1F5781400C402C2561DD2538B03D34685DB03FA545DF492E2E4EC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............+... ...@....... ....................................@.................................0+..O....@...................=...`.......)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................d+......H.......P ..(...................x)......................................BSJB............v4.0.30319......l...x...#~......$...#Strings............#US.........#GUID...........#Blob......................3......................................x.........w.o.....o.....\...............<.....Y.................................................G...........V.....V.....V...).V...1.V...9.V...A.V...I.V...Q.V...Y.V...a.V...i.V...q.V.......................#.....+.....3.....;.....C./...K.O...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Reflection.Extensions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20880
                                                                                                                                                                                                                                        Entropy (8bit):7.003357584301227
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:FIWD4WWrjb8vU8vMXa/rl9qX2Ip4QqjdAA1m5wM6gu19Qnp:F1FXuKrLy2Ip4Qqxf1ml6719a
                                                                                                                                                                                                                                        MD5:BCFFD7D084AD2B512C888803E0B05285
                                                                                                                                                                                                                                        SHA1:E6C6CA734074A822E208C7D3EB8472B0F9D83332
                                                                                                                                                                                                                                        SHA-256:0F4B76417698A632EA7624DF08D61204549CB0B46FAF0D97CC8CCF0F9529A5CF
                                                                                                                                                                                                                                        SHA-512:885D880AF39E994AD19F5B9A95411BE15B3D3D1B00457F03539FA737A858547425E5C4FADB70575E2C80D5E61FDA9FF28C2D86A2627FA92DC955790619E92477
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ..............................';....@..................................(..O....@..@................=...`......\'............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......`...#Strings....d.......#US.h.......#GUID...x.......#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Reflection.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):21392
                                                                                                                                                                                                                                        Entropy (8bit):6.944105176211853
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:RMWzQW3rjb8vU8vMXa/rl9qX2Ip46qjdAA1m5wM6gu4J9QnN:R5aXuKrLy2Ip46qxf1ml674J9i
                                                                                                                                                                                                                                        MD5:0BA68780FE8E528D780067CB35099E39
                                                                                                                                                                                                                                        SHA1:D2C87A3924725FDA7DB96305303C509661104637
                                                                                                                                                                                                                                        SHA-256:CC74DBF97FD673E86F38A26FE8DBBDACC10B637DA977675D989EDB2E798B9AE9
                                                                                                                                                                                                                                        SHA-512:AC2C5DE146E684E701D874EE696E280080FE972C8DC9C4601D79051BB8E27CB7CB0182D464B18A076B066A2A566FFF1F46BD150CC4B6CAB32479C15C733921B0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............N*... ...@....... ..............................Nx....@..................................)..O....@..@................=...`.......(............................................... ............... ..H............text...T.... ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B................0*......H.......P ......................D(......................................BSJB............v4.0.30319......l...L...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................................z.....N.....:.....b.................a...........0.....y...........K.....4...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Reflection.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):21904
                                                                                                                                                                                                                                        Entropy (8bit):6.899316258307013
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:NxDHKWAMWHrjb8vU8vMXa/rl9qX2Ip4caqjdAA1m5wM6guQ9QnN1J:TD8aXuKrLy2Ip4lqxf1ml67Q9e
                                                                                                                                                                                                                                        MD5:665BF8F0BFB4A05AEC361E7E9696609B
                                                                                                                                                                                                                                        SHA1:CEAF8013DB640E797FA8D02BE65F6ABEF5EF66C7
                                                                                                                                                                                                                                        SHA-256:D2D79415ED01AA74EAC604B952C3EA13F521D6AB2594F5426E6E53FCD81F1C37
                                                                                                                                                                                                                                        SHA-512:B0ECB305FF12D20BABD9DA44F1AE83DCD91638602059DB5A11B9F70E1660D5808503DB3D28E62BE7DFABC34D3EF9066EBB9E2335F34627E99F13F464E8CCE6DC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............r,... ...@....... ..............................J]....@................................. ,..O....@...................=...`.......*............................................... ............... ..H............text...x.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................T,......H.......P ......................h*......................................BSJB............v4.0.30319......l...H...#~......D...#Strings............#US.........#GUID...........#Blob......................3................................"...............1.............{.................................Q.....j.......................n...................u.....u.....u...).u...1.u...9.u...A.u...I.u...Q.u...Y.u...a.u...i.u...q.u.......................#.....+.....3.....;.....C.....K.N...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Resources.Reader.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20888
                                                                                                                                                                                                                                        Entropy (8bit):6.978172229910515
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:uLNBEW6pWTrjb8vU8vMXa/rl9qX2Ip4RcqjdAA1m5wMPhzmufUKNNnK:ubM1XuKrLy2Ip4mqxf1mlZxfUK
                                                                                                                                                                                                                                        MD5:D82383ACEB965C5EDDF8AF7A6A0A15D6
                                                                                                                                                                                                                                        SHA1:9E67E3AFC5D84BB54B8B588B2C4193914F0037DF
                                                                                                                                                                                                                                        SHA-256:299377F9371C0B83FD1AEA252BC6DF5DEBD86AB91E30234D633EAE4DB481B2EE
                                                                                                                                                                                                                                        SHA-512:82567BD8DD329BB428FA033BDA55E2DC6BD8ABCFED24FBA64EF6B26CE3A0957CC57749E1627D69ADB00830A3A2D4BFD6F76C237C377657346F2AB536B91E0E2E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ...............................4....@.................................D(..O....@...................=...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................x(......H.......P ..<....................&......................................BSJB............v4.0.30319......l...|...#~......0...#Strings............#US.........#GUID...,.......#Blob......................3......................................z...............\.....0..... .....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Resources.ResourceManager.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20880
                                                                                                                                                                                                                                        Entropy (8bit):7.0179629881765235
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:GKkHKW/tWtrjb8vU8vMXa/rl9qX2Ip4/qjdAA1m5wM6guM9QnI:ruDXuKrLy2Ip4/qxf1ml67M9L
                                                                                                                                                                                                                                        MD5:8C26782A8A2F76E462F39709279542AB
                                                                                                                                                                                                                                        SHA1:7A25D29E4DE0F04F0EC6450677D3260985F2A4B9
                                                                                                                                                                                                                                        SHA-256:ACBCCC952929D7FD2EB3F74D5F40A51F01C744CADFEAE9AB4498EBDAFD4ECDA2
                                                                                                                                                                                                                                        SHA-512:05599E1B1D551A52EF9C0ED66AA530D2EFC79C93F343657628177CC77A4BFD77652735BA35427B5B2E03C42EA232A1E6A5B280DFFB038D268144A2306918EABB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ....................................@..................................(..O....@..`................=...`.......'............................................... ............... ..H............text...4.... ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B.................)......H.......P ......................$'......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3..................................................W.....W...R.D.........f.......................=.....V.....}...........q.........................>.....>.....>...).>...1.>...9.>...A.>...I.>...Q.>...Y.>...a.>...i.>...q.>.......................#.....+.....3.....;."...C.=...K.]...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Resources.Writer.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20880
                                                                                                                                                                                                                                        Entropy (8bit):6.984123046209231
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:FLnfIWqrWIrjb8vU8vMXa/rl9qX2Ip4ZqjdAA1m5wM6guS9Qnuwj:FDf4GXuKrLy2Ip4Zqxf1ml67S9Bwj
                                                                                                                                                                                                                                        MD5:F87C6A11B2067BBAA3F2FAA8F233C6D0
                                                                                                                                                                                                                                        SHA1:F70DE6D166A7AD5ACB776DDEDC69C8C4B0B2C921
                                                                                                                                                                                                                                        SHA-256:1A91725A2235F177902E839D14F7D001D7769F9F9D56BDFCDC197DE52CDCC4FE
                                                                                                                                                                                                                                        SHA-512:4D4CA74E5F7CA59FB1D2CFCFCEC77D043E58B7A0D7ADE029D09460FA4E69928EF522CCD9C16BCDD8BFF667F1888D9EE85855790C35414DB86C5B8E3C2F318D6C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ....................................@.................................D(..O....@...................=...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................x(......H.......P ..<....................&......................................BSJB............v4.0.30319......l...|...#~......0...#Strings............#US.........#GUID...,.......#Blob......................3......................................z...............\.....0..... .....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):24472
                                                                                                                                                                                                                                        Entropy (8bit):6.7882096418744
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:XybU8ndrbbT9NWB2Warjb8vU8vMXa/rl9qX2Ip4Y6qjdAA1m5wMPhzmufSkKNNbQ:Xy5ndvW3XuKrLy2Ip4Y6qxf1mlZxfXK
                                                                                                                                                                                                                                        MD5:26B7DBD84B16A43ABCEFF2627A74CD0B
                                                                                                                                                                                                                                        SHA1:861FBECA85A30DCFA7DABA0EE06587F628437D73
                                                                                                                                                                                                                                        SHA-256:3828496E4CDFC51932C4CA468B0CD1DDA80935938265C8C0FFC199985D7B64F6
                                                                                                                                                                                                                                        SHA-512:2F9DD6F7DBFEF688D0379D2DBBE31A84B88FCD7BA3F4B64F6EE0DD729AA494EB844CF9F8885936A3BFC1ACB8D3DB54E8C4BF7D1FD91743089C2AAAA1B469249A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Ksa...........!.................6... ...@....@.. ...............................*....@..................................6..K....@..............."...=...`.......$............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................6......H.......D%..<...................P ......................................_...+.'g.......x2..}}...B.O....T...e..?.M..R"M.~pg..c..LD#..y.....y....:u.v*...#.;.-.h.......0..#.....a5|T%W...].!.%'..9.0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Runtime.CompilerServices.VisualC.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):21392
                                                                                                                                                                                                                                        Entropy (8bit):6.966709642752203
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Lna8WK1WWrjb8vU8vMXa/rl9qX2Ip4uKqjdAA1m5wM6guN9Qn5N:Lna0GXuKrLy2Ip4uKqxf1ml67N9ON
                                                                                                                                                                                                                                        MD5:058DB9C4C9E558CE2398D3C59A68A215
                                                                                                                                                                                                                                        SHA1:15A0B691A8AF151664F026623C99D8880928E1A4
                                                                                                                                                                                                                                        SHA-256:E1F2FF0FCE9FA403C2B8B782C83EEDECC45AE3259B6C9D5D75553855E17FB1F4
                                                                                                                                                                                                                                        SHA-512:3072E028D68F81BE60D023C369B3881231DC824B6321FDBFC5A145ABB2946F2406B0B7230A23BF7AE64E63A0628E600BF7AB13C631EB35E5A327ECE69D986ABD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............j*... ...@....... ...............................2....@..................................*..O....@...................=...`.......(............................................... ............... ..H............text...p.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................L*......H.......P ......................`(......................................BSJB............v4.0.30319......l...@...#~......0...#Strings............#US.........#GUID....... ...#Blob......................3................................................w.................!...........<.....Y.............................................................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.)...C.D...K.d...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Runtime.Extensions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):21392
                                                                                                                                                                                                                                        Entropy (8bit):6.934809300061368
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:kBSWITWmrjb8vU8vMXa/rl9qX2Ip4XqjdAA1m5wM6guI9Qnxz:k64XuKrLy2Ip4Xqxf1ml67I9e
                                                                                                                                                                                                                                        MD5:A91A9DE6D34BF57E937F54484BCE34F2
                                                                                                                                                                                                                                        SHA1:EC15EED8DAA2CBD4B354E38C4FD9117A93219399
                                                                                                                                                                                                                                        SHA-256:A74B50B46BA492A668CC303D2A5D8CB8C67BBE5AA7D2BEB8C5232E14A605C724
                                                                                                                                                                                                                                        SHA-512:D7383AE69EF3A9FCD39C3C28169C156E4DAAE769E8419BA5B01954FB57B55F05DA53E47AB388373F6C82E11A295CCAB501E5457D726BC5915E62857E2D601FDE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............*... ...@....... ...............................`....@..................................)..O....@.. ................=...`.......(............................................... ............... ..H............text...$.... ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................*......H.......P .......................(......................................BSJB............v4.0.30319......l...@...#~..........#Strings............#US.........#GUID...........#Blob......................3..................................................|.....|...S.i.........g.................f...........5.....~...........P.....9...................c.....c.....c...).c...1.c...9.c...A.c...I.c...Q.c...Y.c...a.c...i.c...q.c.......................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Runtime.Handles.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20888
                                                                                                                                                                                                                                        Entropy (8bit):7.011535707083026
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:G88cIIWNoW1rjb8vU8vMXa/rl9qX2Ip4nWqjdAA1m5wMPhzmufHKNNlb:G9cU0XuKrLy2Ip4Wqxf1mlZxfHKV
                                                                                                                                                                                                                                        MD5:B21B74A4327403B0F3BAE1C090A560FD
                                                                                                                                                                                                                                        SHA1:8E64108CF5EBC502786B7DB1A4328D0FFC9A923A
                                                                                                                                                                                                                                        SHA-256:5325195B7E1FF04DAF0DE69FCC251E2A63E270749C4E19626E32C9502FFE0CE3
                                                                                                                                                                                                                                        SHA-512:7150A35A6336B87F4B6263C45D10D1D380F4C6FCD5D6FE012E7D583D0C00679119F129CC17F32898381A16EB8E4B53ED3165DD9DCBC069BD05BE8B12A587FBB9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............V)... ...@....... ...............................N....@..................................)..O....@...................=...`.......'............................................... ............... ..H............text...\.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................8)......H.......P ......................L'......................................BSJB............v4.0.30319......l.......#~.. .......#Strings............#US.........#GUID...........#Blob......................3..................................................*.....*...c.....J.....w.................v.....,.....E.................`.....I...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Runtime.InteropServices.RuntimeInformation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):28048
                                                                                                                                                                                                                                        Entropy (8bit):6.7792827357845935
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:akUwx9rm5go1fWKmmW6oqN5eWjaWgrjb8vU8vMXa/rl9qX2Ip4LZdqjdAA1m5wMl:RrmoFmWdONXuKrLy2Ip4vqxf1ml67l92
                                                                                                                                                                                                                                        MD5:24C4F77975CCA39B982DDCEA7C12203B
                                                                                                                                                                                                                                        SHA1:FE8E1809BBA323B31352BA29CF7BDD928598515A
                                                                                                                                                                                                                                        SHA-256:64B2A284187511529A5A22B4171F9689986F8AD93E16DEF1711A5B464C13DCBF
                                                                                                                                                                                                                                        SHA-512:4404F315D09992139A504AF580A8D7D8EB6B9D034FB5A9215CDBA0A54E8360D04284D279E1A9DCD9B670237C0DD3AC017D1E216469AB96ED19898C49B4FAF480
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..&...........E... ...`....... ....................................@.................................PE..O....`..x............0...=...........D............................................... ............... ..H............text....%... ...&.................. ..`.rsrc...x....`.......(..............@..@.reloc..............................@..B.................E......H........$...............A.......C......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2r/..p.(....*......(....*2(.....(....*^~....-.(.........~....*.0..........~..........(.........(....-Y..(!....{/......5..,

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Runtime.InteropServices.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):23952
                                                                                                                                                                                                                                        Entropy (8bit):6.850951448934416
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:n09bOAghbsDCyVnVc3p/i2fBVlAO/BRU+psbC984vmJHrE1dtx66aI2sU52RWVsN:WOAghbsDCyVnVc3p/i2fBVlAO/BRU+pv
                                                                                                                                                                                                                                        MD5:3AB8AE09BD2E551D458249E33FEE0023
                                                                                                                                                                                                                                        SHA1:FCF1D3A7F76F14E37F070322260CCAAEB96DD413
                                                                                                                                                                                                                                        SHA-256:AF7163893F3C14B1237AE93E6F4061FB4ADFC5000C8C18CE1138F76FD219B84A
                                                                                                                                                                                                                                        SHA-512:ECD464ACBE06B588A513090452CA6A33126E12E12953122482CF8C64FD69FC6676D2EF7CCA14C90FEE2F668AACABE46097004A2450726DB6AAF6F005E93AD22F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............r5... ...@....... ....................................@................................. 5..O....@..P............ ...=...`.......3............................................... ............... ..H............text...x.... ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B................T5......H.......P ......................h3......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3................................r.....................e...........4.................3.....L...................................R...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Runtime.Numerics.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20880
                                                                                                                                                                                                                                        Entropy (8bit):6.988541975227428
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:B7W6RWhrjb8vU8vMXa/rl9qX2Ip4SqjdAA1m5wM6guY9Qnqf:B5nXuKrLy2Ip4Sqxf1ml67Y9Pf
                                                                                                                                                                                                                                        MD5:34A1B50E1121C2C71F9016FC51A5C4E1
                                                                                                                                                                                                                                        SHA1:AA19D8EF4483CAE4482F4899E875AA12B760B1EF
                                                                                                                                                                                                                                        SHA-256:2F3D28A3CF62ED756CF037019DE3368A8CA7ED7EC9BBD91340252444C62FD705
                                                                                                                                                                                                                                        SHA-512:4FA114A8FCFEEED67CA1721C5B414E9947B00645155C248D13AAE7940AEB043A7BF3CA810B712F841886191721A2A5842E8B177718CE07A844BEBE401127A36C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ..............................F6....@.................................T(..O....@...................=...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..L....................&......................................BSJB............v4.0.30319......l.......#~......4...#Strings....(.......#US.,.......#GUID...<.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Runtime.Serialization.Formatters.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20880
                                                                                                                                                                                                                                        Entropy (8bit):7.044754272178806
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:JI5HeWFwTBsWNrjb8vU8vMXa/rl9qX2Ip4IdqjdAA1m5wM6guD9QnG:JI5HFwTBIXuKrLy2Ip4Idqxf1ml67D9p
                                                                                                                                                                                                                                        MD5:D9B73843EAEDE5EE9B34AC360F2BAA92
                                                                                                                                                                                                                                        SHA1:FBF9E1BADCD3C0EB7A24FC91B15260096C30CAAB
                                                                                                                                                                                                                                        SHA-256:E6F7730094932EE4FF5B075A7BA43F685727CFBF44841F9195DC15EBA496764D
                                                                                                                                                                                                                                        SHA-512:161BC04B75B6EACE0E96D1F620EEF4F42B5DB9496B26633E42182D4416D4E04B83AA66EB2664039CABBCBB76822942A2A83D0AF6C4A378A43DCC83C3D14322E0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ....................................@.................................|)..O....@...................=...`......D(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P ..t....................'......................................BSJB............v4.0.30319......l.......#~..H.......#Strings....@.......#US.D.......#GUID...T... ...#Blob......................3............................................................U.x...........................~.....4.....M.................h.....$...................r.....r.....r...).r...1.r...9.r...A.r...I.r...Q.r...Y.r...a.r...i.r...q.r.......................#.....+.....3.....;.)...C.D...K.d...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Runtime.Serialization.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20888
                                                                                                                                                                                                                                        Entropy (8bit):7.020118822021622
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:OAJpVWbfkBnWnrjb8vU8vMXa/rl9qX2Ip4fBqjdAA1m5wMPhzmufuKNNu9:OAJpWfkBPXuKrLy2Ip4pqxf1mlZxfuK
                                                                                                                                                                                                                                        MD5:DD469A059022092713E134045BCDF10F
                                                                                                                                                                                                                                        SHA1:0225E4E40A2CC5C549AA27C0D4659B93B15CE268
                                                                                                                                                                                                                                        SHA-256:061B6CA627867552299E9E56A5A9833308150AFEA6AB386E85E262069AE7A8CD
                                                                                                                                                                                                                                        SHA-512:020882000D1C3CAFCB64893C6E1EF01A263D5BBC823758468ACD70646E92A1CF5068983D2F77D62AAADB357D0A7DB3BEA476225494E18A6B2CDE6B5A46C8A004
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............>)... ...@....... ..............................r<....@..................................(..O....@..`................=...`.......'............................................... ............... ..H............text...D.... ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B................ )......H.......P ......................4'......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3......................................z...........@...\.@...0.-...`.....D.................C.................[.....x.....-.........................'.....'.....'...).'...1.'...9.'...A.'...I.'...Q.'...Y.'...a.'...i.'...q.'.......................#.....+.....3.....;.#...C.>...K.^...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Runtime.Serialization.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):26512
                                                                                                                                                                                                                                        Entropy (8bit):6.734101612753595
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:S1dyAqgQBfqyTBhXuKrLy2Ip4loqxf1ml67K9r:EdK1DXd/9lRfIwKx
                                                                                                                                                                                                                                        MD5:662975BFC7452FD98AC5B5AC4AA00E1A
                                                                                                                                                                                                                                        SHA1:6EA6550AB246FF1A52E73F3D4134505A498FA35B
                                                                                                                                                                                                                                        SHA-256:10459CF7BCF256226D36AC92E3A52F312D263331C90C21776BD800052EF417CA
                                                                                                                                                                                                                                        SHA-512:F74189A12C1392C9E7099F1995AD6A0344D5A5B3EECDA893B8D68198808819919293B07B808A518D2844CA2830CC51417684EB35F5762C6CAC2AC93C28E28C6D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............8... ...@....... ..............................J.....@..................................8..O....@..8............*...=...`.......7............................................... ............... ..H............text........ ...................... ..`.rsrc...8....@......................@..@.reloc.......`.......(..............@..B.................8......H.......|!..l............1..p...X7......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*......(....*..BSJB............v4.0.30319......l.......#~..h.......#Strings....\...4...#US.........#GUID...........#Blob...

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Runtime.Serialization.Xml.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):24464
                                                                                                                                                                                                                                        Entropy (8bit):6.849912571036139
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:BpsBljcZQIVI8CNwbcyMWs4oBOW9MWG4tBOWIrjb8vU8vMXa/rl9qX2Ip4GijNqW:3sPMQMI8COYyi4oBNw4tBZXuKrLy2IpO
                                                                                                                                                                                                                                        MD5:1EF39E66DAB584C628D4BC3228A4DC6E
                                                                                                                                                                                                                                        SHA1:057B5E2851F33F2B00535B98FA48F4C302AAEA5D
                                                                                                                                                                                                                                        SHA-256:59D41AC5202C34789B7E4A1974DEE4380C67C482ACA573283429172CBA8C4910
                                                                                                                                                                                                                                        SHA-512:9D5B836895916D08B3F5BE49915AB4773D7157D8E4A8AD48D70DACA01BE5753B242E0F255F345F7343FD5C1CE0211C4E0170D2C2E0CC7B7B21AF03B3EAE3B58C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............3... ...@....... ..............................?.....@..................................3..O....@..............."...=...`.......2............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................3......H........!..0...................L2.......................................s....*..s....*..0...........o....u......,..o....*.*.0..%........s..........(....r...p.$o......o....*:.(......}....*..{....*.(....z.(....z6.{.....o....*:.{......o....*.(....z:.{......o....*.(....z.(....z.BSJB............v4.0.30319......l.......#~.. .......#Strings....$...0...#US.T.......#GUID...d.......#Blob...........W..........3............................................................................

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Runtime.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):29080
                                                                                                                                                                                                                                        Entropy (8bit):6.5548302544320025
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:wbhigwLAuZtM66g/Id7WVXWJrjb8vU8vMXa/rl9qX2Ip4Bm0kqjdAA1m5wMPhzmJ:wbhzkKsZXuKrLy2Ip4Gqxf1mlZxf4K
                                                                                                                                                                                                                                        MD5:2F288B6767A5EAFBCA946BCFC27E89C7
                                                                                                                                                                                                                                        SHA1:EF224B3B306AAE54AF7AA34D56F98ADED3594018
                                                                                                                                                                                                                                        SHA-256:4E84ADA2661914880ABB7BC026360A2B125E1EFB616FE4CB2C8C8F3631E3FB31
                                                                                                                                                                                                                                        SHA-512:9E5FD1C7DE360653C26CF424179EED8B6DCF7EE7C61CC4CFFBB96ADBB2480FE8B4605347D8B8532391E1EA9F3712E8945CC8F90E66E4BEAE99C653757677BA83
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..*.........."H... ...`....... ..............................$.....@..................................G..O....`...............4...=...........F............................................... ............... ..H............text...((... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............2..............@..B.................H......H.......P ...%...................F......................................BSJB............v4.0.30319......l.......#~..........#Strings.....#......#US..#......#GUID....#......#Blob......................3................................................_.........................8.....8...*.8.....8.....8.....8.....8.....8.........*.8.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.+...K.K...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Security.AccessControl.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):38800
                                                                                                                                                                                                                                        Entropy (8bit):6.247721229864382
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:rTIrKFsESvNsStEpOqPOmizx1qYDpjhHsH5KDs6L5C4ioDElwr1ZWBky351ihXu8:Q6lw1IbihXd/98fIwwf
                                                                                                                                                                                                                                        MD5:BA8BC1925AF4998A1CD45C88B514D6E7
                                                                                                                                                                                                                                        SHA1:B09FF7F6B478FCDF8EB679244B41691C9ADA8802
                                                                                                                                                                                                                                        SHA-256:4B865CB59849264A3CF0F4FD0D8E7D37D10C8E83DB437E7FD73A3AF3219D5DE5
                                                                                                                                                                                                                                        SHA-512:06D49C0FD483E3BE9DBC836D9D8690B6E608C61F28DA2FB317F6EA24DF5E55F5DDABE05ACA6E87E8858B2A2973241DF9C7425C74344A6F5A0C88BBD69307FB14
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....oY.........." ..0..J..........>h... ........... ..............................td....@..................................g..O.......h............Z...=..........8g............................................... ............... ..H............text...DH... ...J.................. ..`.rsrc...h............L..............@..@.reloc...............X..............@..B................ h......H........#..8)...........M.......f......................................j~....%-.&(7...s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2r9..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2r3..p.(....*2rk..p.(....*2r...p.(....*2r;..p.(....*2r...p.(....*2r...

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Security.Claims.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20880
                                                                                                                                                                                                                                        Entropy (8bit):7.003016241589041
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:BUcX6W9aWTrjb8vU8vMXa/rl9qX2Ip48OKqjdAA1m5wM6guS9Qn89:BUchoXuKrLy2Ip48zqxf1ml67S9d
                                                                                                                                                                                                                                        MD5:E014124516CAD509BFA147D47CF20CD2
                                                                                                                                                                                                                                        SHA1:350EF02B037229382B8AC3C949618EEE7A92AA4F
                                                                                                                                                                                                                                        SHA-256:E66EEBF316BAD6F70F957BE77DC49C8505DA79F9D50F21E3EA614C048A16F5EB
                                                                                                                                                                                                                                        SHA-512:91350839DF89EB9B7C1905A8A07BD18F16C38B4024CB7560628C2A16D8CC0DEF73B599C524804D78FBA80117D08C2D9A4F1A46BC1831447C765C3E754174D12A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............B)... ...@....... ..............................>V....@..................................(..O....@...................=...`.......'............................................... ............... ..H............text...H.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................$)......H.......P ......................8'......................................BSJB............v4.0.30319......l.......#~..<.......#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0.....(.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.Algorithms.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):46480
                                                                                                                                                                                                                                        Entropy (8bit):6.163296457274073
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:CoBj7kS+8mjvHTeaWKs0Sd4eeyXuKrLy2Ip4GgXqxf1mlZxfnK0:xPmb9WKs0PeeyXd/9GgQfInfn1
                                                                                                                                                                                                                                        MD5:5775FF3B921A884F003F13D773428B48
                                                                                                                                                                                                                                        SHA1:A234AF85E33777FE70ABA0DA132B037C4D5FB0A1
                                                                                                                                                                                                                                        SHA-256:4CC2245DE46CF1DF82B28BA1D33D79B3C031BE6103E9DF98FCC92AA66A0CDF22
                                                                                                                                                                                                                                        SHA-512:11A754B91F6B14534A7F17C6A117C50FC7A845A838372C46BBA199CF819937DCAFAF80E3D24F30FC08B0CF2C09E715319121CA7A12B9D993BF4D4862B76D1F60
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..h.............. ........... ..............................".....@.................................u...O.......8............x...=........................................................... ............... ..H............text....f... ...h.................. ..`.rsrc...8............j..............@..@.reloc...............v..............@..B........................H.......P'..\8..........._...%..,.......................................j~....%-.&(F...s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2rI..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2r9..p.(....*2rm..p.(....*2r...p.(....*2r...p.(....*2r=..

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.Csp.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20880
                                                                                                                                                                                                                                        Entropy (8bit):7.024356112019851
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:ATI2pWPzWkrjb8vU8vMXa/rl9qX2Ip44c3qjdAA1m5wM6guIP9QnUQ9:AE3iXuKrLy2Ip44+qxf1ml67IP9fK
                                                                                                                                                                                                                                        MD5:A203BDB987EC429C69C2D7ADF646BFE2
                                                                                                                                                                                                                                        SHA1:BB9CD85E73E2DF0F7E8A68255F9D162F8932B616
                                                                                                                                                                                                                                        SHA-256:E3082AB9DB056CD0E029B19FD169610C01DD0A19232399FD3EF3F31BABF3B2C8
                                                                                                                                                                                                                                        SHA-512:E45C45595D90E00B4EC40848AF3D87D13949BB0ABBD864421035F45069626499F2A38D1415B60F0231B05CC518E013A137A6C56CABEC96BB434E421E8247EBE9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............^)... ...@....... ..............................).....@..................................)..O....@..`................=...`.......'............................................... ............... ..H............text...d.... ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B................@)......H.......P ......................T'......................................BSJB............v4.0.30319......l.......#~..,.......#Strings............#US.........#GUID...........#Blob......................3......................................z...........A...\.A...0.....a.....D.................C.................[.....x.....-.........................(.....(.....(...).(...1.(...9.(...A.(...I.(...Q.(...Y.(...a.(...i.(...q.(.......................#.....+.....3.....;."...C.=...K.]...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.Encoding.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20880
                                                                                                                                                                                                                                        Entropy (8bit):7.0361449962053
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:jcezoy4W04WxFrjb8vU8vMXa/rl9qX2Ip4DqjdAA1m5wM6guP9Qno:jBzoy+GXuKrLy2Ip4Dqxf1ml67P9H
                                                                                                                                                                                                                                        MD5:B21FDDB7CE2C7D56DB193E0D49EA6FE2
                                                                                                                                                                                                                                        SHA1:E41AD023ADD4C2421C65BBC66007E2663C783D6B
                                                                                                                                                                                                                                        SHA-256:694F1D7212F5DE0DCEED09D8D4FE92B85583A3BDA1391DF6D1E6B4F59656FDBA
                                                                                                                                                                                                                                        SHA-512:D63F1E8CA3F7C5D3F66273FCA1A056C79A6E6815F076563956B09A01BF8C788FB4E31350B62633712B7C8103CFA1F53D04BBABC3E9E3D1FCA67CA61631500DB3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............~)... ...@....... ...............................v....@.................................,)..O....@...................=...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................`)......H.......P ..$...................t'......................................BSJB............v4.0.30319......l.......#~..<.......#Strings............#US.........#GUID....... ...#Blob......................3..................................................f...o.f...C.S.........W.................V...........%.....n...........@.....)...................M.....M.....M...).M...1.M...9.M...A.M...I.M...Q.M...Y.M...a.M...i.M...q.M.......................#.....+.....3.....;.'...C.B...K.b...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):21400
                                                                                                                                                                                                                                        Entropy (8bit):6.952206182559834
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:fH/JWKpW0rjb8vU8vMXa/rl9qX2Ip4cbqjdAA1m5wMPhzmuf6KNN4:fH/jsXuKrLy2Ip4uqxf1mlZxf6KE
                                                                                                                                                                                                                                        MD5:B735DAFCCE1AAE8634BEA16CB0A66525
                                                                                                                                                                                                                                        SHA1:04D86344FD928CFA0923AF1C89CF03C1CBB48C51
                                                                                                                                                                                                                                        SHA-256:362ECCB82F887E75E43AE45EBF01555C7A660B7646C72F1DE90BB35B68E0B686
                                                                                                                                                                                                                                        SHA-512:3A882AEC5EA73A7F4813D4ED4095CACAF562BEEC9DC52BA2F3BD38AC7FE93D284DCBF4C5F72E06928884171DB7939C81E699F4B2876A761FB80FE447C29DBFC5
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0............."*... ...@....... ..............................d7....@..................................)..O....@...................=...`.......(............................................... ............... ..H............text...(.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P .......................(......................................BSJB............v4.0.30319......l...$...#~..........#Strings............#US.........#GUID....... ...#Blob......................3............................................................o.s...........D.....D.....D.....D...8.D...Q.D.....D.....D...l.....U.D.................m.....m.....m...).m...1.m...9.m...A.m...I.m...Q.m...Y.m...a.m...i.m...q.m.......................#.....+.....3.....;.)...C.D...K.d...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.X509Certificates.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):22416
                                                                                                                                                                                                                                        Entropy (8bit):6.912334105408001
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:kTjbocNsWMhWQrjb8vU8vMXa/rl9qX2Ip4ScCqjdAA1m5wM6guZ9Qn+0:IboYyMXuKrLy2Ip46qxf1ml67Z9f0
                                                                                                                                                                                                                                        MD5:BFD01C4A758673C34891FD1FFFC55477
                                                                                                                                                                                                                                        SHA1:61DBBDA315DAEA6A34B925A310125935CD7C1198
                                                                                                                                                                                                                                        SHA-256:BEA6A7258A0D152C5A42D71F07CFE6CFADFBCFE5DFB7675B38BC61DAAC9B79B0
                                                                                                                                                                                                                                        SHA-512:4DE27F36E91093C18C40BBFF9F006981DF84992465CDB7786C8B991B9ED01C3C2009394F834F0DFFDB67CDA153CB244AACEFB89C3EE17BA6C2868259BEB22845
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.................. ...@....... .............................. K....@..................................-..O....@...................=...`.......,............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H.......P .......................,......................................BSJB............v4.0.30319......l.......#~......|...#Strings....x.......#US.|.......#GUID.......(...#Blob......................3................................'.....).........u.................=......."...:."...W.".....".....".....".....".....".....[.....".................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;./...C.J...K.j...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Security.Principal.Windows.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):22936
                                                                                                                                                                                                                                        Entropy (8bit):6.8767684346517735
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:VesTEpq4YiZUlW/AWXIZWWAWX5rjb8vU8vMXa/rl9qX2Ip4FBqjdAA1m5wMPhzm2:BwTiYXuKrLy2Ip4bqxf1mlZxfOpK
                                                                                                                                                                                                                                        MD5:27F411F1EF2426DF34BB17BEDECAFEE0
                                                                                                                                                                                                                                        SHA1:3314A0DF208A784556D45E3B24EC7C5F5966D331
                                                                                                                                                                                                                                        SHA-256:C9B9531F80B793E389E093DF7CAD3C5B9CB105CCDF0BE26016DE2649392FEE35
                                                                                                                                                                                                                                        SHA-512:45B3B4D4AD2ACEBB0FF7DA3E151C401A861403A3A68ADCE6C36D09E116431D5FFF06AA649F613F440B9D215FB937897BB6A906501D7D4FDA1B75FBE2E2FB0B93
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....oY.........." ..0..............+... ...@....... ..............................8.....@..................................+..O....@...................=...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H.......P ......................T*......................................BSJB............v4.0.30319......l...l...#~..........#Strings............#US.........#GUID...........#Blob............T.........3.........................................._.........-............./...../.........O...........I.....f........................................._.............................y.............................!.....).....9.....A.....I.....Q.....Y.....a.....i.....q.....y......... .....&.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Security.Principal.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20888
                                                                                                                                                                                                                                        Entropy (8bit):6.989861018684459
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:DSKiWIhWzrjb8vU8vMXa/rl9qX2Ip498pJqjdAA1m5wMPhzmufYKNNY:DSK89XuKrLy2Ip49cJqxf1mlZxfYK
                                                                                                                                                                                                                                        MD5:D3164AB3757AB411C4C9FC5A417F26B3
                                                                                                                                                                                                                                        SHA1:19487D42FDB1808C226AE9128CA1189D7E687702
                                                                                                                                                                                                                                        SHA-256:16803D98138027A10112CC3D2642E2A00DCB937CD7A0971C5D6F6D00106FA464
                                                                                                                                                                                                                                        SHA-512:DDF1BAC2745E14D02CF61177F3597D37BE15A732305B23936E918A3089E26F8FD0445465F1507FF0687DCF28DA6CF7D38B17EF634A13168BE29574FACB5118B5
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ....................................@.................................t(..O....@.. ................=...`......<'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P ..l....................&......................................BSJB............v4.0.30319......l.......#~......@...#Strings....D.......#US.H.......#GUID...X.......#Blob......................3......................................................\.....0.....'.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Security.SecureString.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):21912
                                                                                                                                                                                                                                        Entropy (8bit):6.9408109464096075
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:+0KbZWApWmWTpWcrjb8vU8vMXa/rl9qX2Ip4qRRqjdAA1m5wMPhzmuftKNNO:5KRygXuKrLy2Ip4aqxf1mlZxftK
                                                                                                                                                                                                                                        MD5:2FD13D08E3B766CB02C80D377282C4AB
                                                                                                                                                                                                                                        SHA1:E218609C80BE9C8EFD8D8369FB852452D31FFCB7
                                                                                                                                                                                                                                        SHA-256:67E73CBB1BDC9BC07DE45BC22A76CA906262EDD2CB91D31F1D4F57F55180D290
                                                                                                                                                                                                                                        SHA-512:6A8D85AD341BBD98FACBEDE163AF89DC7678E8D9FBCD036E69DAB88550F04DFECBCC5EA74DAFF63C2C0F0D76B9A88B9BE2E0F9FD865EDC4FC609B5F2B542C068
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............)... ...@....... ...............................S....@.................................>)..O....@...................=...`.......(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................r)......H.......p .......................(........................................(....*..(....*..(....*..(....*BSJB............v4.0.30319......l.......#~..........#Strings....`.......#US.h.......#GUID...x...(...#Blob...........G..........3.............................................."...........C...........u...............m.b...........J.....J.....J.....J...6.J...O.J.....J.....J...j.C...S.J.............................P ............X ............` ......4.....h ....................

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Text.Encoding.Extensions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20880
                                                                                                                                                                                                                                        Entropy (8bit):7.014492474673226
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:zb1nWCXWbrjb8vU8vMXa/rl9qX2Ip4ecpoqjdAA1m5wM6guj9QnT:v7zXuKrLy2Ip4L6qxf1ml67j9g
                                                                                                                                                                                                                                        MD5:7FBF9BE8760B228EA359DD18228E3585
                                                                                                                                                                                                                                        SHA1:2CA2B66B195883A63A6358FE5B9555F020847232
                                                                                                                                                                                                                                        SHA-256:3CF8F5C797FB226DA991F3EFF2765424E0E3C25A1ADC854A9DE338979133794F
                                                                                                                                                                                                                                        SHA-512:0AA38CAF657254464872AFF6815679B4D150430968AF7180B7687107CB18B599909848A1571D01A55EBE2D176401783F279622A3A78EC3565E2367B79B6173AD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ..............................3.....@..................................(..O....@..T................=...`.......'............................................... ............... ..H............text... .... ...................... ..`.rsrc...T....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~.. ...t...#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0.....6.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Text.Encoding.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):21392
                                                                                                                                                                                                                                        Entropy (8bit):6.944841054753074
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:eAyW7TWXrjb8vU8vMXa/rl9qX2Ip4gglqjdAA1m5wM6gu09Qng:9fDXuKrLy2Ip4Lqxf1ml6709j
                                                                                                                                                                                                                                        MD5:E81BAB6F613F5EBB994BAF77018C112B
                                                                                                                                                                                                                                        SHA1:84A7B348FCCCD3F92F1CCF3F08F11E57DAE706E4
                                                                                                                                                                                                                                        SHA-256:29D4441E2A5670ECDD7284311D0BD31AA538847EF0C724098E4AB19178213838
                                                                                                                                                                                                                                        SHA-512:349A5C7CA1E4BD946E5F77261E18A3DA663B31944F07FE090CD708419301860A097F1E536FFC4DDA0FEA91E438222FE9F9346949A4E8376634120256A6CE5EFF
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............2*... ...@....... ....................................@..................................)..O....@...................=...`.......(............................................... ............... ..H............text...8.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P ......................((......................................BSJB............v4.0.30319......l...0...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0...........D.7.....7.....7...C.7.....7.....7...[.7...x.7...-.0.....7.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Text.RegularExpressions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20888
                                                                                                                                                                                                                                        Entropy (8bit):7.029383410648929
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:c6Rb32WVzWQrjb8vU8vMXa/rl9qX2Ip44yqjdAA1m5wMPhzmufIKNNyU:7Rb3dyXuKrLy2Ip44yqxf1mlZxfIK5
                                                                                                                                                                                                                                        MD5:05D79DE49E4C9BF340EB098E6DED5917
                                                                                                                                                                                                                                        SHA1:35C9F43755220E6192B54002DB32C5C4AB1088DD
                                                                                                                                                                                                                                        SHA-256:823E31F623D4CB95791019279F19E489150FC6201B3256289A4BAAF935DA7CE7
                                                                                                                                                                                                                                        SHA-512:B94F057875779DAB90B2C141C5CCF9AF9B6EC00FC811F20E3DDCD1428ABED70E9D0982BB15AB4A58226EDC569882825991FBE1344650109CB8E8A596F1F2CF6D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ....................................@.................................t)..O....@..P................=...`......<(............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................)......H.......P ..l....................'......................................BSJB............v4.0.30319......l.......#~..........#Strings....@.......#US.D.......#GUID...T.......#Blob......................3..................................................K...d.K...8.8...k.....L.................K.................c...........5.........................2.....2.....2...).2...1.2...9.2...A.2...I.2...Q.2...Y.2...a.2...i.2...q.2.......................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Threading.Overlapped.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):37264
                                                                                                                                                                                                                                        Entropy (8bit):6.704001354101083
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:iu5I+sqOylryry8qqIfUc7a5sXuKrLy2Ip43qxf1ml67/9NN:iYIVBpry8qqIfUcm5sXd/9wfIw/l
                                                                                                                                                                                                                                        MD5:373B9C913274CCB52BC3B6B86E7763B6
                                                                                                                                                                                                                                        SHA1:D9E0138D6E38E0CC4CD2BFA5EE98D163CEEDA2AF
                                                                                                                                                                                                                                        SHA-256:6F5ED445A69CD054FDDC3C603F13DC29F15779B3B19A0AFD8ECA3D9F54FCB7DC
                                                                                                                                                                                                                                        SHA-512:05CB2E997688A403824C16C93966A72E857D8C60FE0ED666085448EAC3A8F8600AB3AD9E6257506825C13F4B2421BFDDAB76EC8DA156D8C6B88CDD14E977F910
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..F...........d... ........... ....................................@..................................c..O.......x............T...=...........c............................................... ............... ..H............text....D... ...F.................. ..`.rsrc...x............H..............@..@.reloc...............R..............@..B.................c......H........&...7...........^.......b......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2rK..p.(....*2ry..p.(....*2r...p.(....*2r...p.(....*2rc..p.(....*......(....*..0..;........|....(......./......(....o....s

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Threading.Tasks.Parallel.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20880
                                                                                                                                                                                                                                        Entropy (8bit):7.015718437382717
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Hvn4HREpWiQWXrjb8vU8vMXa/rl9qX2Ip4TqjdAA1m5wM6guV9QnSH:ASuXuKrLy2Ip4Tqxf1ml67V9R
                                                                                                                                                                                                                                        MD5:AD344623E0C45906EC8F18121DAFE651
                                                                                                                                                                                                                                        SHA1:4BB126529627407B5E22FB452F388BE75BAB48E9
                                                                                                                                                                                                                                        SHA-256:2A21E1A992B6B4828F53BCAA31997DE566B13F7BCFFA908014E23618F537647D
                                                                                                                                                                                                                                        SHA-512:E9993F877189CC542279475C7C16C56A1C26BBF05D1856608FF3E3AED8C5146F991AC71A65FD31F29DEB004F73E1B6EFD58E320F7DD8B301EEE1DC8D9ACAE2E6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ....................................@..................................(..O....@..P................=...`......x'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......l...#Strings....|.......#US.........#GUID...........#Blob......................3......................................................n.....B.....".....V.................U...........$.....m...........?.....(...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Threading.Tasks.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):21904
                                                                                                                                                                                                                                        Entropy (8bit):6.934975039628783
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:y8MjKb47T3UCcqFMkJ59WdtWurjb8vU8vMXa/rl9qX2Ip40qjdAA1m5wM6guw9QB:/MjKb4vcGdO+XuKrLy2Ip40qxf1ml67p
                                                                                                                                                                                                                                        MD5:8AC231B1BE20E9426D651D1F4CEA7D89
                                                                                                                                                                                                                                        SHA1:5879A76E7E7B64E734F6846D897E89A06CA53AA8
                                                                                                                                                                                                                                        SHA-256:9C1CFA57C639680D92604A6B4D50E0D7A9F59F19450A1F27C9F7977B465A20FE
                                                                                                                                                                                                                                        SHA-512:BA2AE857A785D8B49DE640B26D38DDA590A506F65A7904A4AAA13823DF8FE1F06D05D9B06021FC6D6DDBEFCA7C8E53697F0C8C75FEA29F2BEC2332C06A96E63D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............,... ...@....... ..............................E"....@.................................`,..O....@...................=...`......(+............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H.......P ..X....................*......................................BSJB............v4.0.30319......l...<...#~..........#Strings....4.......#US.8.......#GUID...H.......#Blob......................3................................!.....O.......................................].....z.............................7.......j...........n...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Threading.Thread.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20888
                                                                                                                                                                                                                                        Entropy (8bit):6.99921281393279
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:/zyNXd4+BW6FWprjb8vU8vMXa/rl9qX2Ip4O5/qjdAA1m5wMPhzmuf8HKNN:+zHXuKrLy2Ip4iqxf1mlZxf8HK
                                                                                                                                                                                                                                        MD5:9FFEC8773BEC366494195BFD65CB4102
                                                                                                                                                                                                                                        SHA1:4B4A2CA3438556701481A4CD818132548A1C2E70
                                                                                                                                                                                                                                        SHA-256:53B64C6493ED5181BCB26570232085081EA4B8468049035CCEFD58D877E18A12
                                                                                                                                                                                                                                        SHA-512:52245F4BB606AD7E91755391663906A7736706E51C865AA9812305F388D810AA0CA0905D512C8A90DEC218A2E9CB3060FF382041308C7B58EEE5048ACF0D1F25
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ..............................6.....@..................................(..O....@...................=...`.......'............................................... ............... ..H............text... .... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..,...p...#Strings............#US.........#GUID...........#Blob......................3..................................................'.....'...T.....G.....h.................g...........6.................Q.....:...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Threading.ThreadPool.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20880
                                                                                                                                                                                                                                        Entropy (8bit):7.004471096781398
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:kvs2Q3HKJNrWWRWkrjb8vU8vMXa/rl9qX2Ip4fLqjdAA1m5wM6guz9QnWG+:kuMsXuKrLy2Ip4fLqxf1ml67z9NG+
                                                                                                                                                                                                                                        MD5:B87241043E17D3F956E4AE103089053B
                                                                                                                                                                                                                                        SHA1:16AD8948E6AF41BA27318A1F6EDBAD14C76344BD
                                                                                                                                                                                                                                        SHA-256:4D30DEF6B6CB172FFC1EE92B33D94110EDE4C17590BB0C5267440FCF53AA55F1
                                                                                                                                                                                                                                        SHA-512:FDD82C81B7C9102FD070631A67BC95209AA1FF9C413214533FEBDA78456D176F1EB08DB3E16F430A0FF3705E2885CD72BBFD7E2CE7AC3936718F9E8796245F09
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ..............................4.....@..................................(..O....@..4................=...`......h'............................................... ............... ..H............text........ ...................... ..`.rsrc...4....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......`...#Strings....p.......#US.t.......#GUID...........#Blob......................3................................................../...q./...E.....O.....Y.................X...........'.....p...........B.....+...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.8...K.X...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Threading.Timer.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20880
                                                                                                                                                                                                                                        Entropy (8bit):6.986278450487078
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:OFz0Q6gcqRhcsMWdMWjrjb8vU8vMXa/rl9qX2Ip4HqqjdAA1m5wM6guD9Qn1d:OFz1c6iXuKrLy2Ip4Hqqxf1ml67D9gd
                                                                                                                                                                                                                                        MD5:D895C5F36EC562EB931D21D6B3F1F998
                                                                                                                                                                                                                                        SHA1:B584F943419C8DD454F0131022D7B2A05973A276
                                                                                                                                                                                                                                        SHA-256:F509E56329F445C5A0AA4B11E50B4FF5E2FCCA46824AAED0A6507DD58C1EF3EF
                                                                                                                                                                                                                                        SHA-512:C846AB3FCA893A5583804B23FC3196275C8D344EE33178E25AEDD452CB610ECE0FE1427C77A9FD93BA15D42054139D499D8F4EE504EBC64CD346CA0E2F021B75
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ............................../.....@.................................L(..O....@...................=...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..D....................&......................................BSJB............v4.0.30319......l.......#~......,...#Strings.... .......#US.$.......#GUID...4.......#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Threading.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):21912
                                                                                                                                                                                                                                        Entropy (8bit):6.898297723733377
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:a6xWA3W4aW/NWNrjb8vU8vMXa/rl9qX2Ip40qjdAA1m5wMPhzmufeKNNZ:aaBjXuKrLy2Ip40qxf1mlZxfeKV
                                                                                                                                                                                                                                        MD5:1CAF198153C3222036D42EBBD391BBD1
                                                                                                                                                                                                                                        SHA1:CAEF86DBC38940456D6763C6BC2EDC66AF8D4C0D
                                                                                                                                                                                                                                        SHA-256:75C300921F4B45631CB15761C5C317AD1B312E353E2E8F7F25053098CCDA1BD9
                                                                                                                                                                                                                                        SHA-512:6F6C3BB34BC127B634E35E6581B2A7E2EDC7B0DEC74F6C255520D56E5BAA143765C6FCF53181401D967D8FB2D2EEF9A15449154B39177C237497E2576034ABDB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............,... ...@....... ....................................@..................................+..O....@...................=...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H.......P .......................*......................................BSJB............v4.0.30319......l... ...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................-.........O.k.....k.....X.....................1...........o.........................B...........9...........J.....J.....J...).J...1.J...9.J...A.J...I.J...Q.J...Y.J...a.J...i.J...q.J.......................#.....+.....3.....;.....C.-...K.M...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.ValueTuple.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):78736
                                                                                                                                                                                                                                        Entropy (8bit):6.084988879815081
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:7784YWau8lqubx6WxXLA+o2SLFyEdux136ytgHo0AuresehSACXd/9gfIw4g:77NV8v36tI0XCKAsi
                                                                                                                                                                                                                                        MD5:C9262A2236180A3B2173F1B0334D9E1F
                                                                                                                                                                                                                                        SHA1:00E87EB59A4F676CA91A989E189B8A914B20E4A1
                                                                                                                                                                                                                                        SHA-256:40754BF33FDAC1C6E00186FA749BD723C3D30A7C1C3FC7D8729DE78F133069B4
                                                                                                                                                                                                                                        SHA-512:D157C2F7E1B987B082E2AC16367A1FFB10BE4958319F992F576764D53BD646A4E5C87AA11257567D699BA873B5186367D7ABCD84BC886A741D1D23312AB22250
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`...........@.....................................O.... ..P................=...@......x................................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H......................................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Xml.ReaderWriter.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):21400
                                                                                                                                                                                                                                        Entropy (8bit):6.993352600553508
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:5r97WquWzrjb8vU8vMXa/rl9qX2Ip4kqjdAA1m5wMPhzmufXKNN:5RJcXuKrLy2Ip4kqxf1mlZxfXK
                                                                                                                                                                                                                                        MD5:0D2F43BD0BCFF8FAC52703CE9D04CCB3
                                                                                                                                                                                                                                        SHA1:EE92B0CA0E332CDFFA8C5E14D35FCE03C30F5D8D
                                                                                                                                                                                                                                        SHA-256:140F5CE4EA3886E923A9B18CDB05DC9B73AC174A0D32BB02D8B7199C332A1692
                                                                                                                                                                                                                                        SHA-512:26E395CB19260ED16105DDAEE6BD181E4D19795C5006892B9B64F8F17B75D9DDE2D348ECA7172F3B2661CE74D083AA7E5796BB536A8B2C2C465DDB0087326011
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............+... ...@....... ...............................N....@.................................\+..O....@...................=...`......$*............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H.......P ..T....................)......................................BSJB............v4.0.30319......l.......#~..T.......#Strings....0.......#US.4.......#GUID...D.......#Blob......................3......................................z...........j.....j.....W...............B.....z.............................................................Q.....Q.....Q...).Q...1.Q...9.Q...A.Q...I.Q...Q.Q...Y.Q...a.Q...i.Q...q.Q.......................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Xml.XDocument.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):21392
                                                                                                                                                                                                                                        Entropy (8bit):6.956866854824385
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:E16eWLDWxrjb8vU8vMXa/rl9qX2Ip4d00EqjdAA1m5wM6gu49Qn8:86LxXuKrLy2Ip4K0Eqxf1ml6749v
                                                                                                                                                                                                                                        MD5:539991C7FEE83CBB5E9A7F25B1375E87
                                                                                                                                                                                                                                        SHA1:693B927D95825B89AA57B8E4ADA7F60720603647
                                                                                                                                                                                                                                        SHA-256:B1ECA57992B81490F1F93409E1CC1C3F802407F2A795689206718169BDB516C6
                                                                                                                                                                                                                                        SHA-512:90EC5CB7B39045759119224B581128CD2030E4702164714BC154550C4C176A02DCA68D9086B95982FC5525498CBDC2703DA68998B1122E7D4522895A20359E97
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............*... ...@....... ...............................s....@.................................|*..O....@...................=...`......D)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P ..t....................(......................................BSJB............v4.0.30319......l.......#~......8...#Strings....T.......#US.X.......#GUID...h.......#Blob......................3..................................................z.....z...u.g.................................>.....W.................r.....[...................a.....a.....a...).a...1.a...9.a...A.a...I.a...Q.a...Y.a...a.a...i.a...q.a.......................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Xml.XPath.XDocument.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):22424
                                                                                                                                                                                                                                        Entropy (8bit):6.937262288784869
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:28G4YC2W+wW8WpwWQrjb8vU8vMXa/rl9qX2Ip4ioGqjdAA1m5wMPhzmuf3KNN51:5GZ5rXuKrLy2Ip4+qxf1mlZxf3K
                                                                                                                                                                                                                                        MD5:E23D89276E18FAC40B8C581C197B1770
                                                                                                                                                                                                                                        SHA1:6252A944839814C044DFDC4D44C24657104FC085
                                                                                                                                                                                                                                        SHA-256:DD6B741C684085C33EEEE29C4E7C072656A8C6586B8EE0E1332EB1B5B7D80E3A
                                                                                                                                                                                                                                        SHA-512:360D88249B5B6FB192BF36E3860199E343590835DB3B5A618C1E8F3A61C7E5A045601185F538577838738BB8BB4F975F744C73B10CB93AD890C7C9877E2F77E4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............+... ...@....... ....................................@.................................z+..O....@..x................=...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...x....@......................@..@.reloc.......`......................@..B.................+......H.......t ......................P*........................................s....*:.(......}....*2.{....(....*BSJB............v4.0.30319......l.......#~..0.......#Strings............#US.........#GUID...........#Blob...........WW.........3..............................................................L.........4.H...}.H...u.v...........;...........;...=.;.................../.%...........P.....m.....................................v...S.......v...d.v...........v...m...............

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Xml.XPath.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20888
                                                                                                                                                                                                                                        Entropy (8bit):7.023568985074965
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:l6ziqTEkGWvRWYrjb8vU8vMXa/rl9qX2Ip4H2prqjdAA1m5wMPhzmufM9KNNKQC:lYT10XuKrLy2Ip4gqxf1mlZxfM9K1C
                                                                                                                                                                                                                                        MD5:B3B064F45DE5866D39582B028A327B62
                                                                                                                                                                                                                                        SHA1:7D85A0C78829C538761791A6DC18D99FD686DEB4
                                                                                                                                                                                                                                        SHA-256:CA9253BBF89700E2B26E42E55B8A59E051A200E97478987AF5954F9A4A5F4E77
                                                                                                                                                                                                                                        SHA-512:48C36FDAE319B7AC3F0760D6BF7EB3154D52A9A596EC357757DBF96E2692F992AA804777E68A3250055CFF69195BA2E04653AF0D81C8034C7D281E1E6F3189DF
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ...............................l....@..................................)..O....@...................=...`......d(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l...0...#~..........#Strings....x.......#US.|.......#GUID...........#Blob......................3................................................'...........~...................................G.....`.................{.....d...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.-...K.M...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Xml.XmlDocument.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):21400
                                                                                                                                                                                                                                        Entropy (8bit):6.964983762636802
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:DUv7c7iWNCWmrjb8vU8vMXa/rl9qX2Ip4GvGsqjdAA1m5wMPhzmuf1KNN3:DM7c1HXuKrLy2Ip4mqxf1mlZxf1K
                                                                                                                                                                                                                                        MD5:78C5E330C1F7D095CAFB37A9508F1445
                                                                                                                                                                                                                                        SHA1:AEF6C05B078E5419EA1F92B62D0954BEC194F4D5
                                                                                                                                                                                                                                        SHA-256:ED73D4B1FE8D9AAF380210369CCD60B38D617A982F810904E31FBA0913563059
                                                                                                                                                                                                                                        SHA-512:4B6D5E2A6E722B8CB661F6296D74909FD37DAB4658E0B3DABE4D27BAD8B65C44FD2375A3412AC56160A11511C6969B4B118685FF9C5FA4C09A4433E27EFC047D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C..Y.........." ..0..............*... ...@....... ..............................5.....@..................................*..O....@...................=...`......`)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P .......................(......................................BSJB............v4.0.30319......l.......#~......l...#Strings....l.......#US.p.......#GUID...........#Blob......................3................................................4...........~.............H.....H.....H.....H...T.H...m.H.....H.....H.........d.H.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\System.Xml.XmlSerializer.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):21392
                                                                                                                                                                                                                                        Entropy (8bit):6.993084353390652
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:0SWnRWBrjb8vU8vMXa/rl9qX2Ip4aqjdAA1m5wM6guax9QnVdG:0zfXuKrLy2Ip4aqxf1ml67S9N
                                                                                                                                                                                                                                        MD5:019B2B2E9F485BED793524B1A7CF7BC6
                                                                                                                                                                                                                                        SHA1:F841EF989DBB8A286A269F8316C71F6C9FC6F77A
                                                                                                                                                                                                                                        SHA-256:C6E21876D578F19ACD8BF73A8EDA439D1A563C7AC5FDAA7D1D820B3BC09FDA21
                                                                                                                                                                                                                                        SHA-512:D3AAC4580618249B64188B3818F1F860637FCA46913E5F6263B5885386A747EB41AA743677437C60328D2BEABC89B68D00B3C24CE8B534088C222D5DE713875E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C..Y.........." ..0..............+... ...@....... ...............................;....@.................................L+..O....@..$................=...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...$....@......................@..@.reloc.......`......................@..B.................+......H.......P ..D....................)......................................BSJB............v4.0.30319......l.......#~..........#Strings.... .......#US.$.......#GUID...4.......#Blob......................3..................................................k.....k...U.@.........i.....=.........................................&.....'...................:.....:.....:...).:...1.:...9.:...A.:...I.:...Q.:...Y.:...a.:...i.:...q.:.......................#.....+.....3.....;.....C.5...K.U...S.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\TraceReloggerLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):22936
                                                                                                                                                                                                                                        Entropy (8bit):6.934436567926955
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:3oMeAKyr1jSC6Orjb8vU8vMXa/rl9qX2Ip4INqjdAA1m5wMPhzmufLKNN:3oMbKK1OBzXuKrLy2Ip4INqxf1mlZxfe
                                                                                                                                                                                                                                        MD5:D023A25ECBF9321A642C0C48ACC8D9BF
                                                                                                                                                                                                                                        SHA1:00DD8852D2EFA6CB26FE2285B321E3191366F334
                                                                                                                                                                                                                                        SHA-256:D27625D947196306D5ABF49AA506C626AE76B43A7EBA5C9A36AEE7B04E9BD5AB
                                                                                                                                                                                                                                        SHA-512:286026C3E67E8ADC6373C71B800E875555059C993B3047C6B12F271FAC6707675F225EF4B39413AB577FFF85D21AA06E244EDF5C9EC2C456C791755E11707709
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...K.NZ...........!.................2... ...@....@.. ..............................iB....@..................................1..S....@...................=...`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................2......H........ ......................P .......................................t..Ar..(9...8.7.Y*(...x.R.[#.e..3.A.8]...a?..o...W..%...,U.8Rn...^..?N ...0....f..X...G.P..Z.X.....ih.Du.UPxSh.............BSJB............v4.0.30319......l...h...#~......d...#Strings....8.......#US.@.......#GUID...P.......#Blob...........W.........%3................)..."...'.........................................p.........).....L.....d.....r............................................... .....5...

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\Uninstall.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1968176
                                                                                                                                                                                                                                        Entropy (8bit):7.8092639751415245
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:ndlczrfrH0aJTylWcs5IP63tFOzfitt2Yiu0:ndlcvTWlZ6IP63tifi7Lq
                                                                                                                                                                                                                                        MD5:7533BE3F2041A3C1676863FDB7822C66
                                                                                                                                                                                                                                        SHA1:F0020E1D0ABABD096BFEFCBFACB150889328A28A
                                                                                                                                                                                                                                        SHA-256:10E61ACA57FB74AC71238E8E0C9EEFB3942A646F7773BEA1B4348CAC922C9336
                                                                                                                                                                                                                                        SHA-512:33F903BB6B19A29BD09EF515977439EF6EF63EBC0640CECED61DD7D7FB35A5DEABCBA5F2F8B0A01015778E22F2AAF2050D3521B37326305E0055682B8C3E547C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L....Oa.................f...*.......4............@..................................#....@.......................................... .. ...........@....`...........................................................................................text....e.......f.................. ..`.rdata...............j..............@..@.data...8............~..............@....ndata...p...............................rsrc... .... ......................@..@................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\WhiteList.dat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):377176
                                                                                                                                                                                                                                        Entropy (8bit):5.999945871691186
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:1BDotCsX0mytklk/i2PziH5XiX2huoW9h7dp9Q5FG85I2YYCQLk6j:jWCsDytkxMzUhYhFH/i/eLkA6j
                                                                                                                                                                                                                                        MD5:F2C339446D80393CF12236A064FA5182
                                                                                                                                                                                                                                        SHA1:4274F6487AC9249FD4B49DD5D22EB7CF60A67046
                                                                                                                                                                                                                                        SHA-256:863A22F58523D47B94E1273ECF9E2F280D0715FFC20A46D704993A32F54829BE
                                                                                                                                                                                                                                        SHA-512:E65CF3BBD78AB8DE244E47AEA6BFFE1CCD3B22B32A2260C9BA761D2C1F00A03AED17E6144E271435DC44C1F139AD74743F4F52A6140253B77842DEEDEA4DCF00
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:ECc+ipJzcwkbZhHH6D1ciQjLEdRYh2hxwL6t/gI/aKzFhP0JZ+o5RIJUuC6/SkyIcfEFK5ngKBkQ1fvVMN//LTvf565Sl+AVaap/4k4EptyHPj7I4OILB+ncy7swuiZtl3+1Wp6PX+vCWTGe4GqB4ngQZT9u8DhbT1rCWvkw2WT3Y9DEfpISoufMWf3NoVOzqCIojN21hORpmAQGvoajCOuhLkVo1t05PggD8+Et608IkI7f5XwJOlxQc5UQRikZNMOmJvi1LncghPiSSeM+a5bjR3DuO1jhUPDTVnQODj2RvNHwNZwYBCr64Av8cQT2gKS+Hs5Lui/gpf5xf5fGZuVAm56ioEBqOO9DZGQ/SQahAU1yudisgt5XB0z9efK+b6/EAPVLrUgZ3wHKwOZZtpECfmVrXRxUm5k5pgLlyMRBN2b8I9Wmqf9X+rfv0OhkLYM/yw3xSIo3ge3BOI+h1vmtfYHahQZWoEKC3rTcFRu19M8ii/gCiD7NiTuu1F2z1l/oxXz4XLr2r4QBGSBM19jsFpaaqITyTIEqwRCde7v6PSekbGgg6ZkklM2dC0HKq35eHdDQZni4kMhyqGlFWYudbMpxARQFtI0yEyKCgiF2VALSsHpckoW+JBC77U81je2vYYd1HjbeFBHdjPxYuiL5tVGWfPXvyKbMMPCMhOJCvrQTLusJs8Wxkl4KLJ0whNNdHJrPCTYREEf0K1PhYTJhIoCJcgEcD9FiK4LLBVGwgtFwLNQbFAC1dVI8EaT7c4ajDWdBB6ZwdFyiOsgaVSJIiykb0icL5G8I2mt7KkzCZed+2VY4AS8X5IiERwRolxc946p7jXl5YLwQXCPFJBAqI+z2mC+DK8bMF1/d8mymt0zXXmFuvnusX9R+/VUB27QIHT6iAj66SwD++dVDnut2Dhf9LSuNQTOD6QXDUY+VqquajycJ0iodaqasTCKzYXubGVjq1mOfsPKubp5P5IPqmCQoU/idhouWq58V

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\amd64\KernelTraceControl.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):273816
                                                                                                                                                                                                                                        Entropy (8bit):6.06218747872376
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:1lPLikZqxz9Prt9e1bd6JcAMaLD0qjR0FC4YPH:1FmX9e1bd6JcAMq+FpG
                                                                                                                                                                                                                                        MD5:5C3C8EE549D3D2A943EC3E40447C783E
                                                                                                                                                                                                                                        SHA1:CD85FC9CC45F7E8296894A5086067A88A2B3EA94
                                                                                                                                                                                                                                        SHA-256:94E940D220F413BABFFFBCFEEAE78257E234B5939EDD8C24200FD9CE030C341C
                                                                                                                                                                                                                                        SHA-512:890615754B4435F7B74A94FB9818083BBBAC135BBD299D9FCD1DFE6C8CB0B033E5488D3BC14716BE01D3FC5CDC4031826C5290EB613B6F151482183A50E4BD4E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................y................`..y......y......y......y......y......y.@....y.B....y......Rich...................PE..d....5............" .........P......................................................zC....`A.........................................X.......Y..........x................=......$.......p...........................p...8...................pW..@....................text...;........................... ..`.rdata..............................@..@.data... (....... ..................@....pdata........... ..................@..@.didat..@...........................@....rsrc...x...........................@..@.reloc..$...........................@..B........................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\amd64\msdia140.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1804184
                                                                                                                                                                                                                                        Entropy (8bit):6.3419054803582515
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:hrPHIDLY5h/Ud23lAy7ldZyzjIK3Y9bni0QwURlG3xA44jqfBlMoTV:hUo/Ud2V17liz29utwURluxN4
                                                                                                                                                                                                                                        MD5:BD6850C616CF2F9FF1FC9183A2FD9EB2
                                                                                                                                                                                                                                        SHA1:B9DED17B6566F523E5EF658B696E0DD9B9E0361B
                                                                                                                                                                                                                                        SHA-256:3F92D378C5921FEE588C2BD91DA672DB5A266FC6DC6FD81AEED94EAB12AF9C41
                                                                                                                                                                                                                                        SHA-512:3FA9F7F7E404FAE7615015661F7D3CE68AF2D32CEEA3B1A0BFD1C0DC4105A9B029A62D269CE5CE8B4E3A3676894FF3A76E9F18C70B9F78B36EA93E1B08743337
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........]............K.......K...5...K.......<.......<.......<......K.........../...<.......<.......<.4.....<.......Rich............................PE..d....)?t.........." ...$.....z......`...............................................5.....`A...................................................(....p..X....0.......J...=.......H... ..T.................... ..(....m..@............0......t........................text...L........................... ..`.rdata..zm...0...n..................@..@.data...@........:..................@....pdata.......0......................@..@.didat.......P......................@..._RDATA..\....`......................@..@.rsrc...X....p......................@..@.reloc...H.......J..................@..B................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\elam\evntdrv.xml

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2357
                                                                                                                                                                                                                                        Entropy (8bit):4.908284940509403
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:o55s8iPgzK7W96MhM5IVkZJElInU/9ysI1qNA:o550ozK7WFhM5I6eo89ysI1qNA
                                                                                                                                                                                                                                        MD5:2AF5B11A9B5F5B7C2BFEA7A3D7186B85
                                                                                                                                                                                                                                        SHA1:E1F32261FD6D3D4679740B69E923CB053B30CE5F
                                                                                                                                                                                                                                        SHA-256:6953F1DB3172307E77B65295FDE86915E77A0589B6669EB80ADFCDB8056802A6
                                                                                                                                                                                                                                        SHA-512:4BD531D81FE46B1ABE933258C945683D98209E3C83BA3B3A0AB136F6D1A3D22D8731131FD6D11B58D8FD7B642E324C3DB1942BA22E9033CB76302E110E8D01DF
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>....<instrumentationManifest.. xmlns="http://schemas.microsoft.com/win/2004/08/events".. xmlns:win="http://manifests.microsoft.com/win/2004/08/windows/events".. xmlns:xs="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. xsi:schemaLocation="http://schemas.microsoft.com/win/2004/08/events eventman.xsd">.. <instrumentation>.. <events>.. <provider.. guid="{b5a0bda9-50fe-4d0e-a83d-bae3f58c94d6}".. messageFileName="%SystemRoot%\System32\drivers\rsElam.sys".. name="Reason ELAM Driver".. resourceFileName="%SystemRoot%\System32\drivers\rsElam.sys".. symbol="DriverControlGuid">.. <channels>.. <importChannel.. chid="SYSTEM".. name="System" />.. </channels>.. <templates>.. <template tid="AllEventsTemplate">.. <data name="message" inType="win:UnicodeString" outType="xs:string">..

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\elam\rsElam.inf

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:Windows setup INFormation
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1716
                                                                                                                                                                                                                                        Entropy (8bit):5.230162000430176
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:FhHP8wMlKnfM2nnwrIP5yHvb2/oyzvTB+X:zkDlE0ow2yHvb2XzLB2
                                                                                                                                                                                                                                        MD5:EC813E1F8F193DCE5B07ADA4FEE1D43A
                                                                                                                                                                                                                                        SHA1:9464FB33B041B54E20BC71D4BD67185B255A3809
                                                                                                                                                                                                                                        SHA-256:FDACE7F8EBF8CD4A8CA18A172A604132CC2BCF000083DF69A4B9D54A10DC1BE6
                                                                                                                                                                                                                                        SHA-512:9EE51D25D5F7679C3038F0B77AECF0AC29DE57E4065BCE3105AD21A9D37CF9818F67B2AF32823E781E5D38E360BC249E46979F674BDF1DCE85072ADA4795CC5E
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:[Version]..Signature = "$Windows NT$"..Class=System..ClassGuid={4d36e97d-e325-11ce-bfc1-08002be10318}..Provider = %ManufacturerName%..DriverVer = 04/12/2022,0.0.0.6..CatalogFile = rsElam.cat......[DestinationDirs]..DefaultDestDir = 12....[DefaultInstall.NTamd64]..OptionDesc = %rsElamDescription%..CopyFiles = rsElam.DriverFiles....[DefaultInstall.NTamd64.Services]..AddService = %ServiceName%,,rsElam_Service....[DefaultUninstall.NTamd64]..DelReg = ElamDelReg..DelFiles = rsElam.RemoveDriverFiles..LegacyUninstall=1....[DefaultInstall.NTx86]..OptionDesc = %rsElamDescription%..CopyFiles = rsElam.DriverFiles....[DefaultInstall.NTx86.Services]..AddService = %ServiceName%,,rsElam_Service....[DefaultUninstall.NTx86]..DelReg = ElamDelReg..DelFiles = rsElam.RemoveDriverFiles..LegacyUninstall=1....[ElamDelReg]..HKLM, "SYSTEM\ControlSet001\Services\rsElam"....[rsElam_Service]..DisplayName = %rsElamDisplayName%..Description = %rsElamDescription%..ServiceType

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\elam\rsElam.sys

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):19944
                                                                                                                                                                                                                                        Entropy (8bit):6.115904530529
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:L22mPMNY+DHa3eLzeCvUkjWHhELVWQ4aWSWDqF9e+X01k9z3AzsJO4gdHfQhW:L4M1u3LCskJpWe99R9zusZwfQhW
                                                                                                                                                                                                                                        MD5:8129C96D6EBDAEBBE771EE034555BF8F
                                                                                                                                                                                                                                        SHA1:9B41FB541A273086D3EEF0BA4149F88022EFBAFF
                                                                                                                                                                                                                                        SHA-256:8BCC210669BC5931A3A69FC63ED288CB74013A92C84CA0ABA89E3F4E56E3AE51
                                                                                                                                                                                                                                        SHA-512:CCD92987DA4BDA7A0F6386308611AFB7951395158FC6D10A0596B0A0DB4A61DF202120460E2383D2D2F34CBB4D4E33E4F2E091A717D2FC1859ED7F58DB3B7A18
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5...q...q...q...e...r...e...t...q...y...e...p...e...r......p......p......p...Richq...........................PE..d...n.Ub.........."............................@....................................4S.....A.................................................P..<....`..x....@.......(...%...p..$....$..T............................%............... ..P............................text............................... ..h.rdata....... ......................@..H.data........0......................@....pdata.......@......................@..HINIT....^....P...................... ..b.rsrc...x....`......................@..B.reloc..$....p.......&..............@..B........................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\elam\rselam.cat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):11062
                                                                                                                                                                                                                                        Entropy (8bit):7.302964587285633
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:TohIuPyyJCx0jnyKQvAIFWQFljudcCFaqDu0K9X01k9z3APi5t:000ivAIFR78cCFYj9R9zqSt
                                                                                                                                                                                                                                        MD5:DF4EAED5CF816C9F03DBC95AB74BC8A8
                                                                                                                                                                                                                                        SHA1:CA40FF3D91D3D3D75286EFD1C320CD1DCCB6C3DC
                                                                                                                                                                                                                                        SHA-256:34C442AA2B53F2256108FC54CAD61C820884C8195193CECDA2BCBBE33D05359E
                                                                                                                                                                                                                                        SHA-512:E53F25823A9B875EB67C16888E61566357853CCECDBB287AFCE8637FE08674EFF5EAB825CA687F66838AC6F01A1B0A1CC561F4BA12BCFB756DD20CB8B102BF50
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:0.+2..*.H........+#0.+....1.0...`.H.e......0.....+.....7......0...0...+.....7.....).#...\J.@.RL.<...220412160200Z0...+.....7.....0..G0.... ....zg.X?w .!.{...`.Mp..~^..n..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...08..+.....7...1*0(...F.i.l.e........r.s.e.l.a.m...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... ....zg.X?w .!.{...`.Mp..~^..n..0... VG..k..V..P.xg.'......,.......G1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...08..+.....7...1*0(...F.i.l.e........r.s.e.l.a.m...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... VG..k..V..P.xg.'......,.......G0........k.+t...1.U4J9.h1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...08..+.....7...1*0(...F.i.l.e........r.s.e.l.a.m...s.y.s...0......J.c..t.!?..|.a...1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...08..+.....7...1*0(...F.i.l.e........r.s.e.l.a.m...i.n.f......10..-0J..+.....7....<0:.&

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\mc.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1102744
                                                                                                                                                                                                                                        Entropy (8bit):7.355079963142068
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:n1F/DU/0v79/tgAOA+dGog4gGxHn2CbEXZnd:1F3TgA5+rxH2Cbe
                                                                                                                                                                                                                                        MD5:6D27FE0704DA042CDF69EFA4FB7E4EC4
                                                                                                                                                                                                                                        SHA1:48F44CF5FE655D7EF2EAFBD43E8D52828F751F05
                                                                                                                                                                                                                                        SHA-256:0F74EF17C3170D6C48F442D8C81923185F3D54CB04158A4DA78495C2EC31863E
                                                                                                                                                                                                                                        SHA-512:2C3587ACAB4461568AC746B4CDF36283D4CB2ABE09FC7C085615384E92F813C28CF4FCB4F39EC67860EAC9C0E4A5F15021AEE712D21A682F8DF654968ED40EA3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\ReasonLabs\EPP\mc.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.................!..0.................. ........@.. ....................................`.................................P...K.......8................=........................................................... ............... ..H............text........ ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B........................H........t...<...........................................................(6...(,...*.0.............*.0.............*AL......i.......|...Y...........w...A.......@...........+.......>............0.............*......../B.......0.............*.........8.y.....0.............*AL......`...............................2...................m...{...t...........*....0.............*......D...........D..e.......0.............*.0.............*.0.............*.0.............*.0.............*

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\netstandard.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):98192
                                                                                                                                                                                                                                        Entropy (8bit):5.635494834873184
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:t2Ec05j4eAH64rh5fSt5T9nFcI94WQXd/9WfIwd0:clK4eA7mDmWMR
                                                                                                                                                                                                                                        MD5:59EBB326B05EEC4ECD7EFCE099398425
                                                                                                                                                                                                                                        SHA1:70C87E9039ABDB0463B93C322B82CE2C136995AC
                                                                                                                                                                                                                                        SHA-256:098DA26CFDD17400B4D8DB2BF72FC7D903C2914DF9F44252EA263F1D68B2B0FC
                                                                                                                                                                                                                                        SHA-512:DE07599C2099CBE5AA1D4EF0D157434EDCEEE7FA429C77AF96E72D4BA3D927F7C0F1D64DCEB9FEB9300EC9EF6DB32500E376421E8A05A99EC3C8A1B96ABCDE2A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files\ReasonLabs\EPP\netstandard.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...M..Z.........." ..0..8...........U... ...`....... ..............................12....@..................................U..O....`..,............B...=........................................................... ............... ..H............text....6... ...8.................. ..`.rsrc...,....`.......:..............@..@.reloc...............@..............@..B.................U......H.......P ...4..................,U......................................BSJB............v4.0.30319......l...|...#~.....d...#Strings....L3......#US.T3......#GUID...d3..x...#Blob......................3................................q.....2B........e$.M...,.M.....M...4.M...1.M...1.M..v..M...*.M...*.M....p...........................!.....).....1.....9.....A.....I.................................#.......+.......3.......;.J.....C.f.....K.f...................2.....................

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\rsAssistant.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1352088
                                                                                                                                                                                                                                        Entropy (8bit):6.500534050429
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:0rXxKmWyc6Xwb9/BSWh/7Ds0x1QbD+JRyxpCcLwg4LjXPpS2FV4VFAFh0lhSMXlJ:0rXxKmWyc6dWh/7DQLpqp/FmVFAc
                                                                                                                                                                                                                                        MD5:77665AC5A5006699356309D888C84785
                                                                                                                                                                                                                                        SHA1:84916A7630E6ACB0284F9AAA10DB3C7A6CB3CA73
                                                                                                                                                                                                                                        SHA-256:CC35463C47AA6F227E99E4984536F7531936B6A751F68FE17460F307BD44E53D
                                                                                                                                                                                                                                        SHA-512:48429373FB6C0F2CC2EA00CC5FC98ABAF32FF55AB5CCDD3DFE7EBBCC6A3741F650FBF8C677A5EBDEE94ECA17632AC97E4C2B210A144DDFA9340BF1DF7086489E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......%...a.c.a.c.a.c.*.`.l.c.*.f..c.*.g.}.c...g.r.c...f..c...`.m.c...`.`.c...f.R.c.*.b.n.c.a.b.e.c.u.j.r.c.u..`.c.a...`.c.u.a.`.c.Richa.c.........................PE..d....M.d.........."....$.......................@............................................................................................|...........h.......t....d...=.......%.....p.......................(.......@............................................text...l........................... ..`.rdata..............................@..@.data....D..........................@....pdata..t...........................@..@_RDATA..\............6..............@..@.rsrc...h............8..............@..@.reloc...%.......&...>..............@..B........................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\rsAtom.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):162712
                                                                                                                                                                                                                                        Entropy (8bit):6.432480830925195
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:6X5TgLoWlo6zvLblsvv5Emm16e68QNmTNh3l2AuZejZnj6:+Oom9Av6RvfltqEZ
                                                                                                                                                                                                                                        MD5:875E26EB233DBF556DDB71F1C4D89BB6
                                                                                                                                                                                                                                        SHA1:62B5816D65DB3DE8B8B253A37412C02E9F46B0F9
                                                                                                                                                                                                                                        SHA-256:E62AC7163D7D48504992CD284630C8F94115C3718D60340AD9BB7EE5DD115B35
                                                                                                                                                                                                                                        SHA-512:54FDC659157667DF4272AC11048F239101CB12B39B2BF049EF552B4E0CE3998FF627BF763E75B5C69CC0D4EF116BFE9043C9A22F2D923DBEDDDACF397E621035
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\ReasonLabs\EPP\rsAtom.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.................!..0..4...........R... ...`....@.. ....................................`..................................Q..K....`..T............>...=...........Q............................................... ............... ..H............text...$2... ...4.................. ..`.rsrc...T....`.......6..............@..@.reloc...............<..............@..B.................R......H........g.................1X...Q.......................................(....(....*:+.([.%^.(....*.....*.......*.......*.......*....0.............*.0.............*.0.............*.0.............*....*....0.............*........2K........`.2........0.............*........6F.......0.............*.0.............*........HP.u.....0.............*B(....( ...(....*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*....0..

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\rsBridge.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):150416
                                                                                                                                                                                                                                        Entropy (8bit):6.2747649458784975
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:+qxmHXV9f34c36vGyAFLmiLQJmh1T9MluOJ+LcZoS:YHXzfuvGLFLmiLQUeuO4Lc
                                                                                                                                                                                                                                        MD5:6D6CEE8DA2DCDBC3229D6F9D4AAFC368
                                                                                                                                                                                                                                        SHA1:4311617DE0413A76627673A3FE679B291C5E73A9
                                                                                                                                                                                                                                        SHA-256:CAB1E92182484FB88970C96450C0C7EDC363583A45765FCDB15BB44E6431EE66
                                                                                                                                                                                                                                        SHA-512:BC196441EA0A61B460A107FDB6C3CBFCAF20DF0D0A6095F3B68EAD3AB6541EB39685CCF1537734356974A0DD39F58873B7A9AFE608E5E37CB548D2AC9C85556A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\ReasonLabs\EPP\rsBridge.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...q8.............!..0.............n"... ...@....@.. ....................................`................................. "..K....@...................=...`.......!............................................... ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................P"......H........k...|..............o7.._!.......................................(....(....*:+.(.|X<.(....*..0..Y.......(.... ........8........E....;...........q...]...........%...........86..........s......... ........8....*.......s$........8e..........s......... .....9|...&8r...~....(.... ....8b...(.... .....9R...& ....8G...~....(.... ....83..........s)........ .....9....&8....~....(....8S...(.... .....9....&8....(.... .....:....&8....~....(.... ........8...........*....0..........

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\rsBuild.Runtime.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):21392
                                                                                                                                                                                                                                        Entropy (8bit):6.914600122840343
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:2GK3h8ZRrrjb8vU8vMXa/rl9qX2Ip4gqjdAA1m5wMPhzmufncKNNRr:BK3h8nUXuKrLy2Ip4gqxf1mlZxfcKdr
                                                                                                                                                                                                                                        MD5:0814E3D5EB4939B1F730A8D7E785C47D
                                                                                                                                                                                                                                        SHA1:9B0213537F16EFA71B21D1F7FD53F978C69873A7
                                                                                                                                                                                                                                        SHA-256:A07E70CAD2A36ED93C610113C35E6949FCE5EEB60115BBC2BDE76AAE68EE118C
                                                                                                                                                                                                                                        SHA-512:E2BA7CC3173EE907A23517DDCD48A6B3CDD7084DEEB0ABF83962F1E5CEB2179732B4754950FF4C2DADF96EB6926CC94CE42AFAE90587DD6A364AA00C4C17E6D5
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0............."*... ...@....... ....................................`..................................)..O....@..x................=...`......0)..8............................................ ............... ..H............text...(.... ...................... ..`.rsrc...x....@......................@..@.reloc.......`......................@..B.................*......H........ ..|..........................................................."..(....*V.(......}......}....*:.(......}....*..(....*..(....*:.(......}....*:.(......}....*..(....*BSJB............v4.0.30319......l.......#~..l...$...#Strings............#US.........#GUID...........#Blob...........W..........3............................................................$...........|.f.....................D.....x.....]...................y.........<...........d...........Q.................

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\rsClient.Protection.Microphone.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):28560
                                                                                                                                                                                                                                        Entropy (8bit):6.694468335521907
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:c4wXL42btPdC3h8YrXuKrLy2Ip4K/qxf1mlZxfpKIM:cDbtMR8YrXd/9DfInfpDM
                                                                                                                                                                                                                                        MD5:19D6E8E558B1AA74C6D23CF07082DB55
                                                                                                                                                                                                                                        SHA1:077C346DC3190D5BA320786C065FABF5BA9EFDD2
                                                                                                                                                                                                                                        SHA-256:1FA38413590B2C73B082BA176679D378216CCFE120B4672F99AB7650C947C97F
                                                                                                                                                                                                                                        SHA-512:88208A173AA6FC9AF4610E952F132CD6FA7DA39F439FEE361A3A5D2AC754022B8E6BDAF88164DBD1FF481EC7F3ADFCFA92010817D11758C4F828F73DA56898AA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....C..........." ..0..(...........F... ...`....... ..............................,C....`.................................uF..O....`...............2...=...........E..8............................................ ............... ..H............text....&... ...(.................. ..`.rsrc........`.......*..............@..@.reloc...............0..............@..B.................F......H........)..(............................................................0..)........{.........(....t......|......(...+...3.*....0..)........{.........(....t......|......(...+...3.*....0..)........{.........(....t......|......(...+...3.*....0..)........{.........(....t......|......(...+...3.*....0..:.......~....--~..........(....~....-.s............,..(.....~....*...........*......v.s....}.....s....}.....(....*...0...........{....,.*..s#...}.....{...........s4...o.....{......

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\rsClient.Protection.Microphone.dll.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):161
                                                                                                                                                                                                                                        Entropy (8bit):5.010777093927904
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:vFWWMNHU8LdgCQcIMOodBQV7VKXRAmIRMNHjFHr0lUfEyhTRyAEDDQIMOov:TMVBd1InV7VQ7VJdfEyFRyAqDQIm
                                                                                                                                                                                                                                        MD5:DDC25AEFCAE9826CCE1754C2C89E959D
                                                                                                                                                                                                                                        SHA1:36899490B8B0CF36AE8A1477468F3884C0CC9664
                                                                                                                                                                                                                                        SHA-256:F8AD17C37D444521B3905CCBD75EA6CB6E3D2763B16EB56B2E1AA4274173E614
                                                                                                                                                                                                                                        SHA-512:4C52E02E4E6A17FD36714E3769D34BC14675D47BE0322B14F4BBB13268C34DFE647A37DB7DF0DE7D8C31494BF878B597EDF85913E7FB648CB0D993E89FB5D611
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>..<startup><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5"/></startup></configuration>..

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):673176
                                                                                                                                                                                                                                        Entropy (8bit):6.493074173807659
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:lOguoezLfVAMFgCNS+MvHY/8j+7rmboDhgkEHoNOkPar:lOgud/jFgq6Is+7rmbGhcHsz
                                                                                                                                                                                                                                        MD5:31D9FB62E2C93B09EA373506809B7127
                                                                                                                                                                                                                                        SHA1:9F2B25D0F7853619D9BB9ADA07F3F4D28EB2D01C
                                                                                                                                                                                                                                        SHA-256:E20D6F35A53A65BA5922D22C47CE6CA650B9F54B4637C1FC3C3904FCF6F18D31
                                                                                                                                                                                                                                        SHA-512:62CEE54BFA73E4380BA44551A88070C8DF9F7D0DB1FB3A7E608FC4F701280436B3C9DF66E0163065D42E9A1C7B67E1D2949A149B0D86FDF2D2E7FCF918F346DA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Z3.`.R.3.R.3.R.3U*.2.R.3U*.2.R.3U*.2.R.3L'.2.R.3L'.2.R.3L'.2@R.3U*.2.R.3.R.3.R.3.'.2.R.3.'C3.R.3.R+3.R.3.'.2.R.3Rich.R.3........PE..d......f.........."......H.....................@.............................`......_$....`..........................................................@..l.......hI.......=...P..........p...........................@...8............`...............................text...~F.......H.................. ..`.rdata..z?...`...@...L..............@..@.data....;..........................@....pdata..hI.......J..................@..@_RDATA.......0......................@..@.rsrc...l....@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\rsDatabase.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):174992
                                                                                                                                                                                                                                        Entropy (8bit):6.476998012723448
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:lSa2SASiV7/3JThFoPdXTssFBSKvvvvnPPH6Gi5tPArrYeiYiPKiA15/ph9r6rrP:kjiWbJTPo1XTPPSKvvvvnPPH6Gi5tPAq
                                                                                                                                                                                                                                        MD5:F2A2479CF7C7F75D03031D0FDDBB8D50
                                                                                                                                                                                                                                        SHA1:7BABA31B7BDEBAFA3DAB82E74854D22E597A1CC3
                                                                                                                                                                                                                                        SHA-256:C2247C9154BA6FF0DD755CB12691ABCD2950412C3F52C61F0D40EC31512B6495
                                                                                                                                                                                                                                        SHA-512:441E5DC9A18006E246A812D851A29D69344734EF6E6606F636606AAB78678AF60B3279C073BD6B939E437B6DE5BAA466BC1EB278EB110BBD22FC9893CE1A2E26
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\ReasonLabs\EPP\rsDatabase.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................!..0..d............... ........@.. ..............................H.....`.................................P...K.......\............n...=........................................................... ............... ..H............text....b... ...d.................. ..`.rsrc...\............f..............@..@.reloc...............l..............@..B........................H........v..<................k...........................................(....(....*:+.([..X.(....*..0.............*....*....0.............*.0.............*......"....Y.....0.............*........VV.Q ....0.............*............ ....0.............*AL......Z.......q...................j...........................................*.......*.......*.......*.......*.......*.......*.......*.......*....0.............*A4..................;...............P...X....... ....0..........

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\rsuser.API.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):232848
                                                                                                                                                                                                                                        Entropy (8bit):6.972774799084431
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:p/PgVxkDaOTtCYOA3SzduSvX0gUI+RKyE:p/PBDaOTAISzduS8JIN
                                                                                                                                                                                                                                        MD5:B33EF73F30F45BF018B445ECAEAF8BDD
                                                                                                                                                                                                                                        SHA1:6F19C2B1B1370EA6E19118F92DBCA91B4BFBDF7F
                                                                                                                                                                                                                                        SHA-256:1C40CFAEEBC3EAC0C0671B1D6B7AF58664D3940DAC5815C8FB5E5EE1473B8C84
                                                                                                                                                                                                                                        SHA-512:A3C53E25E4569A3511FCDECD85ABCA9B18963BF25EE81848F06190BACD9FD322D034FBFC02CD89FEB0CC6B17F8B081361152E4287F0724B8F116BDD5277CC3CA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files\ReasonLabs\EPP\rsuser.API.dll, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\ReasonLabs\EPP\rsuser.API.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................!..0..F...........e... ........@.. ...............................Y....`..................................e..K.......h............P...=..........0e............................................... ............... ..H............text....E... ...F.................. ..`.rsrc...h............H..............@..@.reloc...............N..............@..B.................e......H.......dx.............../...3...d.......................................(\...(R...*.0.............*AL......^...F.......;...............q.......Y...........8...Z...................*....0.............*AL..........D...P...c...............{...$...^...........U...X................0.............*AL..........K...B...;.......................@...........<...a...................*....0.............*AL..........D.......^...................k...;...........~...G................0..........

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\rsuser.Client.Messages.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):218520
                                                                                                                                                                                                                                        Entropy (8bit):6.7649652451942845
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:3jPX44gludPPDIED0y7AFth9cT8hmXq1qtBx2BYEC9OyTQ86g1bnFaOC:3rba8co0Qkb9cTRaYdOsQ86g1b
                                                                                                                                                                                                                                        MD5:34345622DA5B7801853CFB088434C5E4
                                                                                                                                                                                                                                        SHA1:6C361BBA47737E76E14CC98BE1854D6BB2238DDC
                                                                                                                                                                                                                                        SHA-256:E02A48E5F744DC61607F95783B7F323166AD62B753A47858C4E53C2BED22A24E
                                                                                                                                                                                                                                        SHA-512:067151445A44F028E8D29AEB9F4133E072224E022344364857D70D94C244AD04639DA804AEB87D7A20F3C51897ABA6990BA3011335008526798CB1F3013C776D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\ReasonLabs\EPP\rsuser.Client.Messages.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=.............!..0.............>,... ...@....@.. ....................................`..................................+..K....@...................=...`.......+............................................... ............... ..H............text...D.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................ ,......H........~..............$Z.......+.......................................(c...(....*:+.(..2j.(Y...*..0.............*....*.......*...B(c...(....(v...*.......*.......*.......*.......*.......*.......*....0.............*.0.............*.0.............*B(c...(....(....*.......*..."...$...*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*....0.............*......_....;........*....0.............*A.......J...@...........

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\rsuser.Client.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):340368
                                                                                                                                                                                                                                        Entropy (8bit):7.20136859453715
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:e+3Hrj22xfCw51t0vYerc1kG6xT/nbc+Ze8MnIeFQP1:eWrj2EL+brc1kG6xDnbReFQP1
                                                                                                                                                                                                                                        MD5:9E747A5B494570590F57D554CAC90FD3
                                                                                                                                                                                                                                        SHA1:6206DA4333F1A8FD3D3C762E8FD0074C147C8A52
                                                                                                                                                                                                                                        SHA-256:E6F40179ADB2961EB5DCDEF0BAD9D682E15CF258955F1398F3ED46E5E2C0BCDF
                                                                                                                                                                                                                                        SHA-512:AD91A4703E9A5875D76A6393067DCA00F0A8CF0984DD9D1845747D97178AC33F806C9D0931BA59DA394A7422B1D3EF20F919872B053FA7047E63460651B82DFA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\ReasonLabs\EPP\rsuser.Client.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....p.............!..0.................. ... ....@.. .......................`............`.................................@...K.... ..t................=...@....................................................... ............... ..H............text........ ...................... ..`.rsrc...t.... ......................@..@.reloc.......@......................@..B................p.......H.......d...................`B..u........................................(....(....*:+.(.XU6.(....*..0.............*AL......7...F...}...c...................7...^...........I.......................*....0.............*AL......t...D.......;...............O.......@...........S.......\............0.............*AL..........F.......Y...................g...;...........o...z...................*....0.............*AL..........D...A...@.......................Y...........S...W...........

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\rsuser.Core.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):335248
                                                                                                                                                                                                                                        Entropy (8bit):7.165188000389263
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:n2EUqfl3Cuo5ostKP7quDImjElPGGp6l4hVdZXeCZIDq:PCTosMP7DIUElPG/4hVd4nq
                                                                                                                                                                                                                                        MD5:9D3D8CD27B28BF9F8B592E066B9A0A06
                                                                                                                                                                                                                                        SHA1:9565DF4BF2306900599EA291D9E938892FE2C43A
                                                                                                                                                                                                                                        SHA-256:97FE82B6CE5BC3AD96C8C5E242C86396ACCDF0F78FFC155EBC05F950597CDBD6
                                                                                                                                                                                                                                        SHA-512:ACEFC1552D16BE14DEF7043B21EC026133AABD56F90800E131733C5B0C78316A4D9DC37D6B3093E537CE1974219154E8BD32204127A4AB4D4CD5F3041C6A8729
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....E=............!..0.................. ........@.. .......................@......)V....`.....................................K.......h................=... ......A................................................ ............... ..H............text........ ...................... ..`.rsrc...h...........................@..@.reloc....... ......................@..B........................H............0...........................................................(....(....*:+.(..4g.(....*..0.............*AL......d...K.......@...............v.......;...............Q...................*....0.............*AL..........D...`...@..................."...;...........T...D................0.............*AL..........F.......@...................w...c...........a.......................*....0.............*AL..........D.......;...............d...&...^...............7...........

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\rsuser.Data.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):174480
                                                                                                                                                                                                                                        Entropy (8bit):6.558297388047888
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:RgBO4wkYzATwjGBabx1o/S1dNTAfEkA0cRxXTMQ1HkuLoLhmtc54Z9CV5+:ReO4wKTwjGBabLoaOfEL0cfXPtcA
                                                                                                                                                                                                                                        MD5:4D952A91EF45B6EAC024F3DF9C43A4DB
                                                                                                                                                                                                                                        SHA1:D8298FC8A91CC8805EA5C0942DF6EF1F82AE4398
                                                                                                                                                                                                                                        SHA-256:2BD9562D139374C0AA7DD65347416387A8DBCC95938DDF29A768C8B78E012AC1
                                                                                                                                                                                                                                        SHA-512:C1A1895A7D9CD008104C9B7E29EFA01F5E49FB20AEE15F22EEF79D42DA87DE2F47D39F0D5F338F586FD51360DEA2AA2DBF7BED3A4BA0E8BED1529978CC0790A6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\ReasonLabs\EPP\rsuser.Data.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................!..0..b............... ........@.. ..............................X.....`.................................@...K.......h............l...=........................................................... ............... ..H............text....`... ...b.................. ..`.rsrc...h............d..............@..@.reloc...............j..............@..B................p.......H........k...................}..x........................................(....(....*.0.............*.0.............*.0.............*.0.............*.................0.............*A...............$............0............l*.................0.............*A...........$...4............0.............*.................0.............*..........._.....0.............*.0.............*A|......P...H...................s...................................................8...............

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\rsuser.Extension.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):179600
                                                                                                                                                                                                                                        Entropy (8bit):6.6374457961487465
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:x1yd9dJIRgFLfjrDplmjUDfsDWBXfeTKBIPqstmwu5hafIzYWVk:x1yVJI2lDplmQDCmX9IRtmR5AIzYL
                                                                                                                                                                                                                                        MD5:47E3ABFCECA92A5A83BFCD5DB1FB2DFC
                                                                                                                                                                                                                                        SHA1:D3C8D7E1F93ADF112CF045085B8CE98A7EC6D3A2
                                                                                                                                                                                                                                        SHA-256:27AAE0B3241012DE2FB7C606CB52FE9FCE9ADCEE5EF3D6FC079D8B1B4FE8B229
                                                                                                                                                                                                                                        SHA-512:00A814B1A07BB605312AE3A42275609AB0C1A72FA98134130A239D4AD49CB686C4F9CFE104B2BF98942C0E98EC56777034A8A81B6C15118B4F371573C17841C1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\ReasonLabs\EPP\rsuser.Extension.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................!..0..v..........^.... ........@.. ....................................`.....................................K........................=........................................................... ............... ..H............text...du... ...v.................. ..`.rsrc................x..............@..@.reloc...............~..............@..B................@.......H........m..L...............w...?........................................(....(....*:+.(..X=.(....*..0.............*.................0.............*A............................0.............*.................0.............*A...........1...?............0.............*.0.............*......@..........0.............*A....... ...F...f............0.............*.................0.............*B(....(....(....*.......*.......*.......*.......*.......*.......*.......*.......*.......

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\rsuser.Features.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):138640
                                                                                                                                                                                                                                        Entropy (8bit):6.120752911754565
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:4MZQ2tZDAxUMax8YC0qzI5ITPO5oRM8UlJ:L/tZF7x8YTqzWYk
                                                                                                                                                                                                                                        MD5:3EFDE3875D72772410628DA707BBC48B
                                                                                                                                                                                                                                        SHA1:4E5D56E5D50751E746A9736BB3E8C105FCD2E640
                                                                                                                                                                                                                                        SHA-256:A6BE9FA0E9B50609C0ED43C177EF49FDE9B715D697DE9C1A7735D664EDCF3352
                                                                                                                                                                                                                                        SHA-512:9483085CFA514B74D72581434B51503B4C6EA2B1AC05CF687588D9C0EBDB0265B4AC45817F2B82D131053C92142BF37D141CF5622E454C75584DFE5515CCAC8F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\ReasonLabs\EPP\rsuser.Features.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....V............!..0.................. ........@.. .......................@............`.....................................K........................=... ......<................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H........f..Ll...........................................................(S...(....*:+.('.jF.(I...*..0.............*.................0..........(S... ........8........E....i...............j...!...+...........J...:...8d... J...(.....s......... ....8.... ....(.....s......... .....9....&8.... b...(.....s......... ....8f...* "...(M....s......... .....9E...&8;... ....(.....s.........8z... 8...(.....s......... .....9....&8.... ,...(.....s......... .....:....&8.... ....(.....s......

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\rsuser.Helper.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):146832
                                                                                                                                                                                                                                        Entropy (8bit):6.274886522344538
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:tFgS0V7DS77w1vHGWLjGBTT2Bq3bOEntOV:wV7DS77LvBDrNni
                                                                                                                                                                                                                                        MD5:DEEE68CBD48E7CEB344FAF7C9520C19F
                                                                                                                                                                                                                                        SHA1:F456CC941E38BB52F961D563A39F9E1A9FF7359A
                                                                                                                                                                                                                                        SHA-256:3DE2F33AB1131E91D79D4AE66930EF36C8FAAF66DF073B22BA87E3FC5CE0F97D
                                                                                                                                                                                                                                        SHA-512:603BAFF50444B0158445F2BA55BBB21E55BC9225A4BCEDE437C3C10E02D2785FD6D9EE3F0A32B63EB84C9809382B0F490ACE39D09053844301FD8E5D7C6E094C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\ReasonLabs\EPP\rsuser.Helper.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...w..............!..0.................. ... ....@.. .......................`......u.....`.....................................K.... ..t................=...@......D................................................ ............... ..H............text........ ...................... ..`.rsrc...t.... ......................@..@.reloc.......@......................@..B........................H.......(h..<q..........d...p8...........................................([...(Q...*.0.............*......P.g..;.....0.............*.0.............*......\..r.......0.............*......X.n........0.............*........iq.......0.............*........IQ.......0.............*A4......_.......Q...;................................0.............*........IW.......0.............*A4......Q.......*...@................................0.............*A............................0......

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\rsuser.Loggers.Application.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):147352
                                                                                                                                                                                                                                        Entropy (8bit):6.27340840210344
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:erHwsA5cLaP4twvjE+YGAE/CC8kATs1U6HwyYRhNWP5W:eLws4P4mvjE+YiaOpByPNW
                                                                                                                                                                                                                                        MD5:F25C46924F7354D6DD841DDD323058DF
                                                                                                                                                                                                                                        SHA1:4E1F7E80304F60BB6D380286E4A8FFA5730691FB
                                                                                                                                                                                                                                        SHA-256:A7B5A14CEC1C111D8C5A39563BD3A6EB3844468E141AD35326600FAA90BCAFB0
                                                                                                                                                                                                                                        SHA-512:C143FEFF18C35B4BC1C751FA157FE14D27650B24876EFAE40754B9691154D105B47D4D5C58AB776E2A9D9CC4D6009F3FF9B8D65C15B6CBA3A2C1E1D0CB92C526
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....V.............!..0.................. ... ....@.. .......................`......y.....`.....................................K.... ...................=...@......T................................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H........b..T{...............5...........................................(p...(f...*.0.............*.0.............*......e.z..Y.....0.............*.................0.............*.................0.............*.................0.............*........00.......0.............*.................0.............*........00.......0.............*.................0.............*........00.......0.............*.................0.............*.................0.............*........NV..

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\rsuser.Loggers.Business.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):192912
                                                                                                                                                                                                                                        Entropy (8bit):6.720381835235028
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:RMoCXzx12SPn+v1RTjWqSoY5pflGMVE26x2Azs6nz49tZem9Z6q4cjNt8HfPpG:RMoGjoR9Som3y2/B9tZbvH8H5G
                                                                                                                                                                                                                                        MD5:CF09B1619FB435943EEA65706F5BF924
                                                                                                                                                                                                                                        SHA1:AA2F880DE69DA1F2A1F9333788D485E016F4427A
                                                                                                                                                                                                                                        SHA-256:F67294AEA83673CCCEA89E0B627531360F6772DDBD760A4772A250125A4603DD
                                                                                                                                                                                                                                        SHA-512:375CA9678CA42D358B1A06313DD7EC8C8FC318096CCC0A73EF1796F6421EA6F2430382C699FFCEAECF93D401466A0E226717640207B87EF8E3F3B615363BB676
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\ReasonLabs\EPP\rsuser.Loggers.Business.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...g;.............!..0.............n.... ........@.. ....................... .......$....`................................. ...K........................=........................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........s.................e...F........................................(....(....*:+.(oP=k.(....*..0.............*AL......^...F.......@...............l...F...@...........|...L...................*....0.............*AL..........I..."...;...............T.......;...........8.......F............0.............*AL..........F.......Y.......................;...............l...................*....0.............*AL..........D.......@...............t.......;...........>.......l.......

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\rsuser.Needle.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):146320
                                                                                                                                                                                                                                        Entropy (8bit):6.2709634771785145
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:KiPMlOvU8s629y8Wct/qmZEJgRtxU5TI1PBjQlvJ4m9CPI:Ki0oJs629BWa/reQtx91JMsmn
                                                                                                                                                                                                                                        MD5:42B1B7F0824CE11BBC88014E32E00A20
                                                                                                                                                                                                                                        SHA1:2842A1FEAF40A5D63ECA2490CCC904C2102C34DC
                                                                                                                                                                                                                                        SHA-256:58A27057A703CC3232FA12431B8B17AB005F17315E6FDC113860D10E8A0EB8B4
                                                                                                                                                                                                                                        SHA-512:633EFD7CA73821B3C2C84A36462FA428146C521B4D7B95C83C00351D3A59E7B94C0B4C72C204F94E49CF49A017262CE93D19E75C0BB9A3B1338097495D8238D9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\ReasonLabs\EPP\rsuser.Needle.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...1..............!..0.................. ... ....@.. .......................`............`.....................................K.... ..t................=...@......F................................................ ............... ..H............text........ ...................... ..`.rsrc...t.... ......................@..@.reloc.......@......................@..B........................H.......pe...p..........T....9...........................................(g...(....*:+.(..I4.(]...*..0.............*......#..........0.............*A.......f...;................0.............*......K..........0.............*A.......%.......0............0.............*......+. K.......0.............*A.......h...<................0.............*A.......W...b................0.............*.0.............*.0.............*.0.............*.........'.......0.............*......#.....

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\rsuser.Protection.BTScan.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):243088
                                                                                                                                                                                                                                        Entropy (8bit):6.885872269186077
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:meeLieaMlF9oHvLU3hujv9BaithuSn3uM:Xe98xHb3uM
                                                                                                                                                                                                                                        MD5:BD2DB186F7FFBF77BA0C5E2D7FCFBEAB
                                                                                                                                                                                                                                        SHA1:A962778E1E08A54B499B5D7D95F6F59F1FE9A493
                                                                                                                                                                                                                                        SHA-256:F38C51B3BDC519F8F11327291415778A16E0366586CFD0C7CF222AC52CA57D75
                                                                                                                                                                                                                                        SHA-512:D35EE3753CB3E9A645191AA8D8C99A8449CBE03028EBB94ABD52A2731EE1F73EC6CAAD36886D25DBC20A40E2BB4354421C3977B5364AD4A1A2BD08AF83285C51
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\ReasonLabs\EPP\rsuser.Protection.BTScan.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....E.............!..0..n............... ........@.. ..............................,.....`.................................`...K....................x...=........................................................... ............... ..H............text....l... ...n.................. ..`.rsrc................p..............@..@.reloc...............v..............@..B........................H......................\n...............................................(u...(....*:+.(.&`.(k...*..0.............*AL......M...F.......Y...................g...Y...........X.......................*....0.............*AL......E...D.......Y...................&...@...........O...B................0.............*AL..........F.......^...........e...........;...........8...i...................*....0.............*AL......$...D...h...;...............o.......^...........4...G...{.......

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\rsuser.Protection.Camera.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):188824
                                                                                                                                                                                                                                        Entropy (8bit):6.665975866034709
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:estJ18P4GkzbDLWHtmuVTNdlDVMKyxGlAgdFCETajXHIpNvW+SIXDSrhCGLk:3mfoLWHQuVNTRgRggjXIpNutIX+NC
                                                                                                                                                                                                                                        MD5:98710635881E0BA3BFA9520A759361FE
                                                                                                                                                                                                                                        SHA1:79C5E75CAAF90FF0F5B95C06578B6B80190F8D50
                                                                                                                                                                                                                                        SHA-256:4F7DD935B3FE59FDB2FDF4DD4A997EF5CBF03BAC5CBD3E7F9A73431CE4F3CF18
                                                                                                                                                                                                                                        SHA-512:A53C06CC08837F6F40392FE9C7530EEF175858BABB58B26CC4D284E19565FD0F1504CCBAFC84F44DE0C3DC6FB675049512E5774C0E91F270467EC8291E70BBBF
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\ReasonLabs\EPP\rsuser.Protection.Camera.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...9.v............!..0.................. ........@.. ..............................ju....`....................................K........................=..........x................................................ ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........p.................8............................................(/...(....*:+.(t.oC.(%...*..0.............*B(/...(....(B...*.......*.......*.......*.......*....0.............*B(/...(....(....*.......*.......*.......*.......*.......*....0.............*.0.............*....*....0.............*.0.............*.0.............*.0.............*.0.................*.................0.............*......9..........0.............*A4......b...f...................4...............

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\rsuser.Protection.Edr.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):139664
                                                                                                                                                                                                                                        Entropy (8bit):6.154366002245543
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:Kz0Kfc7cUHxsKVzpkDrnbSF1q/t0wNZzRziBT+S/tQ8ea+D:Kz0KUggYnbSFOt0SRzJSfY
                                                                                                                                                                                                                                        MD5:5557B3F5D7780BF9159CDDB5613367FD
                                                                                                                                                                                                                                        SHA1:F15F43E9A62BFFF26E42C4B4CF5D72A6C770C116
                                                                                                                                                                                                                                        SHA-256:98D766DC15F20E33EA7F4E274CA1729E2BF2A8BF0183047547784CBD866A9C24
                                                                                                                                                                                                                                        SHA-512:66EAA1107C966AB1CBEE92F7F3605EDAD12672BF9E6977CE9CFF3BFC9D324ABC8B042C192C201B444CE63C997E210C30351954F3221B37B6B55B0AC2343C759C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\ReasonLabs\EPP\rsuser.Protection.Edr.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...y..............!..0.................. ........@.. .......................@......y%....`.................................p...K........................=... ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H........g...m..........$....!...........................................(T...(....*:+.(.T6.(J...*.....*.......*.......*....0.............*.0.............*.0..y.......(T...8........E....$...........8....*(....8/...s......... ....8....(.... .....9....& ....8....(h... .....:....& ....8...........*.......*.......*.......*.......*.......*....0.............*.0.............*.0.............*.0.............*.0.............*......4.l..;.....0.............*....*.......*....0..........

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\rsuser.Protection.Microphone.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):167312
                                                                                                                                                                                                                                        Entropy (8bit):6.472492511088364
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:GujBny7QG0vArv8+pn3LjBuW61PCuT+bxsZhptUX3t:Gue0AYOLjBoPGuhYN
                                                                                                                                                                                                                                        MD5:E360FB5E08CCBE4775EEB5F01174F17B
                                                                                                                                                                                                                                        SHA1:F05FD9FD713BD86598B4D68304770B4D2127F07E
                                                                                                                                                                                                                                        SHA-256:1BDF17754F39A656B090E58219161ADAE6243E8BFBD840840EFC429EE7EC0FC9
                                                                                                                                                                                                                                        SHA-512:26F7D75410C81F0BE28E5D158ED33A094958C6FF3B79270A839AC50013F7044FEDA2A9779CB5C4FFFB3397CB5F372C4EEAC8D9FCED65399FB063FEC47DA0AB17
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\ReasonLabs\EPP\rsuser.Protection.Microphone.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................!..0..F..........~d... ........@.. ....................................`.................................0d..K....................P...=...........c............................................... ............... ..H............text....D... ...F.................. ..`.rsrc................H..............@..@.reloc...............N..............@..B................`d......H.......Ti..............L....g..Kc.......................................(....(....*.0.............*B(....(....(....*.......*.......*.......*.......*.......*.......*....0.............*....*....0.................*.0.............*.0.............*.................0.............*A4......{...q...................,...........Z........0.............*......*.n........0.............*......0..........0.............*......,.[..X.....0.............*......#.+N.......0.............*......>.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\rsuser.Protection.Programs.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):303504
                                                                                                                                                                                                                                        Entropy (8bit):7.289193874856881
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:wWFBa/0X+2BhveyvV5vaTgToUDNeFBBH5bixLCGlWH:lW/0+2ZvjaMz8rj
                                                                                                                                                                                                                                        MD5:EA0E8D7EE0E7F2F501440CF0825C7F4C
                                                                                                                                                                                                                                        SHA1:6E0CEEDD8E6573838E7C80D4E5F47411AE749A8F
                                                                                                                                                                                                                                        SHA-256:256DCF593258214741F2A1B8C0B014AA5EFBA599D287CB9A1F83C371C1A7F037
                                                                                                                                                                                                                                        SHA-512:DF8DBA70D32679826A1A981770B5F0AB681F0CF5B5A96D43C43BC243801468080A9DC0103963E51EE8969C3DACB9583B4D65E1E2832BE52BFC0FC442DEDC6748
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\ReasonLabs\EPP\rsuser.Protection.Programs.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...6dG............!..0..Z...........y... ........@.. ....................................`..................................y..K....................d...=.......... y............................................... ............... ..H............text....Y... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B.................y......H.......,~..p............8...>...x.......................................(t...(j...*.0.............*AL..........F...;...;...............f.......Y...........Y..._...................*....0.............*AL......Q...D.......;...............Z.......^...........H...2...z............0.............*AL..........F...c...^...................i...;...........s.......................*....0.............*AL..........D...Q...^...........w...........c...........8...t................0..........

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\rsuser.Protection.Ransomware.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1484184
                                                                                                                                                                                                                                        Entropy (8bit):7.921186462198044
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:og51Sc0hBKGOEqWjAiXIZO67zelmLBFl5Z4098UCb+5e7mVdkvcuPN+J:L0hoMvjAiY7z2yBxOm8UCSMgOwJ
                                                                                                                                                                                                                                        MD5:3AD1A722D03BBB7032DC2EA3DA28608C
                                                                                                                                                                                                                                        SHA1:32DD8530ACDB78E3E15C313F39000B0C3079003A
                                                                                                                                                                                                                                        SHA-256:F0F88CC51216E47BEB85AC9F9F13351265DE958BD23BA736C731A680B6C3F1BB
                                                                                                                                                                                                                                        SHA-512:159E4D29D1AAB901FF7A1627A54A2C551A15681272C40FA6E9DDB7F29DFFC30CFB36262067259CC0038117FD3B455EF8ABD86E2AD69601ADE789161AD451E2FC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\ReasonLabs\EPP\rsuser.Protection.Ransomware.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................!..0..^...........|... ........@.. ...............................1....`..................................|..K....................h...=..........K|............................................... ............... ..H............text....]... ...^.................. ..`.rsrc................`..............@..@.reloc...............f..............@..B.................|......H.......P...l....................{.......................................(....(....*:+.(i.W7.(....*..0.............*AL..........F.......Y...........n...x.......@...........8...Q...................*....0.............*AL......B...D.......^...................X...c...........m...t................0.............*AL..........F.......Y...........=...........^...................8...............*....0.............*AL......g...D.......;...........{...........^...........'...g...........

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\rsuser.Protection.Self.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):164240
                                                                                                                                                                                                                                        Entropy (8bit):6.500058722161814
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:KQBJEeoqullwGOCRZgDfGWTS6JXJ5QuPgQCgR5HPEfxe:Ae/uxWJrRZPmI
                                                                                                                                                                                                                                        MD5:9299FE388E50868AEE494453EB6DE57C
                                                                                                                                                                                                                                        SHA1:94BDFD16E6BDE3731D9A87A0CC8CD8BD229AB307
                                                                                                                                                                                                                                        SHA-256:BD88F31DE1E212E337FD49372E0A5F20A9FBAD2D9C5FE870D7DA597EB8AB8DB0
                                                                                                                                                                                                                                        SHA-512:5E944310373D0221DEF7890183C7C44CD7ECC22A9640E2B6E3EF39879FDCDF6D028106138978EE535237C054FBE84589157CB2A4EDD1EB1FD91658F667F758A1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\ReasonLabs\EPP\rsuser.Protection.Self.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...F.S............!..0..:...........Y... ...`....@.. ...............................T....`..................................X..K....`...............D...=..........{X............................................... ............... ..H............text...$9... ...:.................. ..`.rsrc........`.......<..............@..@.reloc...............B..............@..B.................Y......H........g..............d....i...W.......................................(....(....*:+.(.._;.(....*..0.............*A.......'....................0.............*A.......:...#...]...............*....0.............*.0.............*A.......C...*...m............0.............*.0..........(.... ........8........E....R... .......6...8M...("... .....9....& ....8....(#... .....:....&8....(!... .....9....& ....8....*.2.....8..........*.......*.......*.......*.......*.......*.......*...

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\rsuser.Scan.Detections.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):157072
                                                                                                                                                                                                                                        Entropy (8bit):6.350851590038153
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:RihJGePYiMcyAV+kuhv7EAGl958IxTJD6HMqzwLgEFDlzRNaqN:RidZxy9hv7dGTF/D6HZMLgEFlRNd
                                                                                                                                                                                                                                        MD5:812AEAAFC31FFAEC4BAC8ACF4EAF49A4
                                                                                                                                                                                                                                        SHA1:394D336BF215AE452754B5F89E0A12EC1528868F
                                                                                                                                                                                                                                        SHA-256:0DA935949F8232DA630CB47E328E94915CA6174E6A3B1813D2C1E9A144120CDE
                                                                                                                                                                                                                                        SHA-512:7D3B7AF75F96F243BE60E2954279BACA9E2B1961CC9397FD5B3F88C7CA2978C1B071F61CD089FA8428BABFB257BC44EB5BCE7561555336CDB4B47DE87FBFC194
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\ReasonLabs\EPP\rsuser.Scan.Detections.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...6:.............!..0..............<... ...@....@.. ..............................+.....`.................................@<..K....@...............(...=...`.......;............................................... ............... ..H............text........ ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......&..............@..B................p<......H........h..............l....E..`;.......................................(....(....*:+.(=.&`.(....*..0.............*.0.............*.0.............*.0.............*.0.............*.0.............*.0.............*.0.............*.0.............*.0.............*.0.............*A4......O...G...............................\..."....0.............*........!).."....0.............*........\d.."....0.............*.........*..".......*....0.............*A......................."....0..

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\rsuser.Scan.OnAccess.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):454040
                                                                                                                                                                                                                                        Entropy (8bit):7.469744856628341
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:uCuACL+YuA0wOIzhri+HCpyTmCW8nytAOBzuTX9jPBBTvq:MAI+tmc+NT7HnymQaTtPBB
                                                                                                                                                                                                                                        MD5:0CEDEF4BF6B4B5FC961D1E68605FDC37
                                                                                                                                                                                                                                        SHA1:CC0879308BB5B73D6C5D65CAEAF5E7DF84DE0430
                                                                                                                                                                                                                                        SHA-256:D8194765E0636F89AC4A3574156420A09F519F6E55E4F3B2755C96EBEA7B711E
                                                                                                                                                                                                                                        SHA-512:7D5E387E6223723514D08670A0F10CA4FAE6C45F5A37542EFE240C1E7AA8CB67686E63823E85D4118366375B7183181BB6B8AE59897AB2488337E2F2C851934A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\ReasonLabs\EPP\rsuser.Scan.OnAccess.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7.............!..0.............^.... ........@.. ....................... ......L.....`.....................................K........................=........................................................... ............... ..H............text...d.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................@.......H.......t....;..................>........................................(....(....*:+.(..;n.(....*..0.............*.0.............*.0.............*.0.............*.0.............*.0.............*.0.............*.0.............*.0.............*.0.............*.0.............*A.......>.......X...c........0.............*......#.t..Y.....0.............*......\..R.;.....0.............*......M.y..;.....0.............*......L....;.....0.............*......L.y..;.....0.............*

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\rsuser.Scan.OnDemand.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):426392
                                                                                                                                                                                                                                        Entropy (8bit):7.369283128418767
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:J4cYCFIqYO87e5F40HQUQtDcABtwGwIM2V4zD4aYdutjHzOG+Df0KyM6oDbeh:uS8aOIQR9bBwGVa0a1tjzo/yVon
                                                                                                                                                                                                                                        MD5:3E5558F7B1D3B186D22B7F1BFAD746E1
                                                                                                                                                                                                                                        SHA1:D358FB6E0F97F184165826AD7B448B18392B3503
                                                                                                                                                                                                                                        SHA-256:FC11595B7CDFBD3654E72F1EEED3D6C0F1579D4C55D222E29D635DC1B8A95D29
                                                                                                                                                                                                                                        SHA-512:8CA96E25C6A6FE20F2E7270682E50D9D29330847691C6E2F0927A5ED98DE319404A35226850676EF6FB5D1A3F72D9F92DCAA3E70874D7979D6FE097AC46BC648
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\ReasonLabs\EPP\rsuser.Scan.OnDemand.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.................!..0..:...........Y... ...`....@.. ..............................d.....`..................................X..K....`...............D...=..........xX............................................... ............... ..H............text...$9... ...:.................. ..`.rsrc........`.......<..............@..@.reloc...............B..............@..B.................Y......H.......T....U...............O...W.......................................((...(....*:+.(.~.\.(....*..0.............*AL..........F...\...;...............V.......;...............1...................*....0.............*AL..........I.......Y...............}.......Y...........;...K................0.............*AL......b...K.......c.......................;................... ...............*....0.............*AL..........I.......Y...................]...Y...............h...........

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\rsuser.Scan.Quarantine.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):373648
                                                                                                                                                                                                                                        Entropy (8bit):7.349016300134832
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:1JVS9oMzjk5NO8eY0EgFLJi0McNv8HCtp3E6xC/yGqrke3Iyw9qQRO7a0NAshPcq:4jMYFLJi0McyidxC/hqrksIywA5b1cq
                                                                                                                                                                                                                                        MD5:F39564AB1A96C7E6FB4E28EE879B2DD1
                                                                                                                                                                                                                                        SHA1:BB550C9DB2D261E3A7938BBC455AF67B84133334
                                                                                                                                                                                                                                        SHA-256:8F04F4AD213C179B630BBA7F8DCC8C48AA6D2FBFB665DF95FED4DB69E191AFDF
                                                                                                                                                                                                                                        SHA-512:C0F13C08DACB1E079BEB2C84C918C63A45803644B24B0523BB51CFA19849A8586A3B68FB9785EF2929E119516374F9934618B49362B8755EE0E415C0FC65C8D5
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\ReasonLabs\EPP\rsuser.Scan.Quarantine.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....v............!..0..l............... ........@.. ..............................|.....`.................................@...K....................v...=.......................................................... ............... ..H............text....k... ...l.................. ..`.rsrc................n..............@..@.reloc...............t..............@..B................p.......H..............................g........................................(....(....*:+.(.yF/.(....*..0.............*AL..........K...R...^...................)...@...........n...Y...................*....0.............*AL......(...I...q...@...............i...Y...c...............F................0.............*AL......<...F.......;.......................;...........o...Z...................*....0.............*AL......>...D.......;...............j...3...Y...........Y...=...........

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\rsuser.Scan.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2357648
                                                                                                                                                                                                                                        Entropy (8bit):7.810374003657602
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:7frWJSlGWG3UH0A4zty01hCI9cLaLRqDHFLGeCUiuw:7qOGj3v9zty0jCI9f9qDZGpuw
                                                                                                                                                                                                                                        MD5:4E47EFCD50382E44DAF6F0BD9A35A052
                                                                                                                                                                                                                                        SHA1:4898A77CB7890C728278E16EA6EF4BFAE2608F1D
                                                                                                                                                                                                                                        SHA-256:B223843E2956C0BB486417381C38CF19D23B417C2AD478402290DE454972730D
                                                                                                                                                                                                                                        SHA-512:FCDCEA96E3260F16E56E847AA10497F8C94B3A18C3089A8390B0781C3743ADCB1A3DBFE8B71AC1A148A5718D26EF9F9D7FCD71A144186301C3D9D52444D056D0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\ReasonLabs\EPP\rsuser.Scan.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....L............!..0...#...........#.. ....#...@.. ....................... $.....M|$...`...................................#.K.....#.h.............#..=....$.....;.#.............................................. ............... ..H............text....#.. ....#................. ..`.rsrc...h.....#.......#.............@..@.reloc........$.......#.............@..B..................#.....H......................`........#......................................(....(....*:+.(..vH.(....*..0.............*AL..........F.......;...............i...J...;...............4...................*....0.............*AL......m...I.......;...............t...a...^...............G................0.............*AL..........K...0...;...................~...@...........t...T...................*....0.............*AL..........D...R...^...................I...c...........H...............

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\rsuser.UDI.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):203152
                                                                                                                                                                                                                                        Entropy (8bit):6.8148528483764865
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:uYsKFpor7JTTWqs96bAHozmNuffBcOSyNZeZCp:jHFpoZ/WqsalB5XeA
                                                                                                                                                                                                                                        MD5:F23E75C4E74E29577C87112484E2FA2B
                                                                                                                                                                                                                                        SHA1:F7BF6E8B08A1FFC7B9AE54665D98536F98E21354
                                                                                                                                                                                                                                        SHA-256:84B8798E3BE78212C8879D321819C7BB13DA67B088A6FD4FB4FDB574B2E349E7
                                                                                                                                                                                                                                        SHA-512:F97A464BD33546EB1F633C93260BD1650AC075407DE700D89B99617838C23DCD90B8D97BE66DB48F593BD11DA5B48325D3D985F203DD464DF4713DDC0775533A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\ReasonLabs\EPP\rsuser.UDI.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.................!..0.................. ........@.. .......................@.......]....`.....................................K.......h................=... ....................................................... ............... ..H............text...$.... ...................... ..`.rsrc...h...........................@..@.reloc....... ......................@..B........................H.......tl..t...............1............................................(i...(_...*....*.......*....0.............*.0.............*.0.............*.0.............*.0.............*.0.............*.0.............*.0.............*......#....;.....0.............*......0.Eu.^........*.......*.......*....0.............*A.......................!....0.............*A4......Y...r...........!.......Y.......L............0.............*.0.............*......+. K..!...........!....0......

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\rsuser.Updater.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):160144
                                                                                                                                                                                                                                        Entropy (8bit):6.414063962663937
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:fsTm+gxWQyqMA+CEFCa+nBqiQKxBCD9/N5dTDAbjLU0IqGbYg5N:UTXQvVEFCa+BqipBSV2Er
                                                                                                                                                                                                                                        MD5:15475722F1731218E664BFE9A3675F2B
                                                                                                                                                                                                                                        SHA1:7B23EC0E21706C9A1727ECB04B01F3CA5C15D3AD
                                                                                                                                                                                                                                        SHA-256:B50DC1634C163483218B1C876A195D5BEEB7E0537369C1694562E700C19DDEFD
                                                                                                                                                                                                                                        SHA-512:9A05CA47A13322EFF717AC9A74DB1B97F0FE942D82BD0A625DBC16128264F63D2F64489A6A5F4CC9809278356115FF07C3450EEE6BD678654E1EF3546E32BFE5
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\ReasonLabs\EPP\rsuser.Updater.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................!..0..*...........H... ...`....@.. ....................................`.................................PH..K....`...............4...=...........H............................................... ............... ..H............text....(... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............2..............@..B.................H......H........j..............4...bU...G.......................................(....(....*:+.(+.8m.(....*..0.............*.0.............*.0.............*......w....;.....0.............*.0.............*A.......k...e................0.............*AL..........T...5...............\...........@...................o............0.............*.................0.............*A4..................................)...2...Q........0.............*AL..............t...;.......................c...

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\rsuser.Utilities.Browsers.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):466320
                                                                                                                                                                                                                                        Entropy (8bit):7.479407675993178
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:BkYzadn5BDA0Q+65YQbICw6oIc8zpjQautj/aR:1UBDA0Qp5YmIY1VpjQnQ
                                                                                                                                                                                                                                        MD5:6BAFB48D5984EC29520E1D1B3480B3DB
                                                                                                                                                                                                                                        SHA1:8FE668F9D7296C634B754F30B04BA48F6C97F6D3
                                                                                                                                                                                                                                        SHA-256:8B0D076D38EA84171E6873EBCD216C0FC896302BDAC8F95F00158D91D5748DA6
                                                                                                                                                                                                                                        SHA-512:9FB32517265F5FC476947BD8D4A2B75FE6EC1FC44316B12DAD7348A0B82B470A8CD5AAC43A8E8E20555DEB25669FF60E639C30E202710C8B13221278D892B873
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\ReasonLabs\EPP\rsuser.Utilities.Browsers.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................!..0.................. ........@.. .......................@.......|....`.................................p...K........................=... ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H.......T....$...........................................................(....(....*:+.(..\.(....*..0.............*.0.................*A......./....................0.............*.0.................*A.......*.......5............0.............*A.......z...;................0.............*A...........x.......]...........*....0.............*A..........."...4............0.............*A...............\...............................................................................

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\rsuser.Utilities.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2224536
                                                                                                                                                                                                                                        Entropy (8bit):7.599214294968051
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:D9i5K4fsuAiKulTTDN6XlOaF9ezQ9AWtXQphBgU36HC3k:D9i55+1snNA0zQvtAzBlH0
                                                                                                                                                                                                                                        MD5:21197FACB2C9271C217E5500BBDB31BA
                                                                                                                                                                                                                                        SHA1:20DD384F35A0E61B7842063E7853C640E22E90B7
                                                                                                                                                                                                                                        SHA-256:B1F58A7E6A95460629FB2B061EAFF3B25FCB7856EF871FDD5C7E4441DB2B4B38
                                                                                                                                                                                                                                        SHA-512:649DDFD02DD66429E23CDA1A96B3F6208CF2D9CE852014CBB6D085953B5B1CECF8903E97C27DCDA275B9D2AD6F4B4CE90F635C489CC658A2A451D498497D387B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v............!..0...!...........!.. ....!...@.. ....................... ".....(."...`...................................!.K.....!...............!..=....".....].!.............................................. ............... ..H............text.....!.. ....!................. ..`.rsrc.........!.......!.............@..@.reloc........".......!.............@..B..................!.....H........D...5...........y..D.....!......................................('...(....*.0.............*AL..........F.......@...............[...E...^...........i...T...................*....0.............*AL......3...D...w...;...............S.......;...........;.......C............0.............*AL......5...K.......^.......................;...................I...............*....0.............*AL..........D.......@...............i...'...^...........c...<................0..........

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\rsuser.Wsc.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):139160
                                                                                                                                                                                                                                        Entropy (8bit):6.155499781487525
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:L0fK47FEhPutq4Am7mNEtbIztAU31iXGT2yU3sM/:LkC9uPAm7WEtbIzuI0X5p
                                                                                                                                                                                                                                        MD5:52E5EDCC04F7B231A4717FD46D0F8F9B
                                                                                                                                                                                                                                        SHA1:A46B471F1D8CAB31B97E6FF5AC4CDC3F1A16E588
                                                                                                                                                                                                                                        SHA-256:605AC7852047B8A44332872203CE650ED13581D0BEC7ADEF3CAAB1E1D4B44B43
                                                                                                                                                                                                                                        SHA-512:AE0CE9BB3CC35B0D85E7CCD8BA8A50208A9779255C115F30B8AF8E58B636AB79B8D7EC34A0EDCE330E5554002D5CE1F3C145D24AB2D27FB099F18686E3B8C780
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\ReasonLabs\EPP\rsuser.Wsc.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................!..0.................. ........@.. .......................@............`.................................`...K.......h................=... ....................................................... ............... ..H............text........ ...................... ..`.rsrc...h...........................@..@.reloc....... ......................@..B........................H........f..,j...............#...........................................(J...(....*:+.({..X.(@...*..0.............*......M....c.....0.............*A4......A...........@...............4...<............0.............*A4..........b.......Y...............^...f...~........0.............*.0.............*.0.............*.0.............*.0.............*.0.............*.0.............*.0.............*.0.............*.0..v.......(J...80.......E....;...V.......86...(.... .....9....&8..

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\rsuser.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (5548), with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):5548
                                                                                                                                                                                                                                        Entropy (8bit):5.993403199466336
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:RkNCZqifpqvt4Gg7Jd7z3kelI7P4k4uFWb51bxby1fmZ0PfsPp1cC1CDH:RzBc4dX7ZI74kx0Nby1fYJWC1c
                                                                                                                                                                                                                                        MD5:BE90740A7CCD5651C445CFB4BD162CF9
                                                                                                                                                                                                                                        SHA1:218BE6423B6B5B1FBCE9F93D02461C7ED2B33987
                                                                                                                                                                                                                                        SHA-256:44FA685D7B4868F94C9C51465158EA029CD1A4CEB5BFA918AA7DEC2C528016E4
                                                                                                                                                                                                                                        SHA-512:A26869C152ED8DF57B72F8261D33B909FB4D87D93DC0061BF010B69BAD7B8C90C2F40A1338806C03D669B011C0CB5BBFCD429B7CD993DF7D3229002BECB658AD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:SeNHHAozzDzx8xafGs52O02M3LrbDRSLIJ5xixluCuxOz2RE7hbtSEc4h5uwlDrbNRkIuc4wJhx4cXXt/BOt9Z+36zGIYFX8XISHgLWcpFg8kTXph1JWHYuMqBe2bcUyhHiUhQR47usgCtpolEvWsHiCW0MIfJDWJcF+hsAttVYiPkXeios84TLwfxrXKCFybWVXAQj6vuOgPJ5BocP3W2aYDb/nYexhWpuFF33Vgl2jhtyk9+VncBPYoF2UoEPRMSUGx9ryim73PgXEO9HK3zaX+46DL+w8FWQl/Tkqdv4nYOlDHZNi4dTioBXjiy1IvSTYPykJgeLBk/Hol89xlcZcWwRLXhBwOkWnVHNUZ1slsAN5dvVdqRXkbw/U2mr4YagFxluFQzi/zOkVWT9VPCuAFZ1td8GjO6e4ef0W1HqiH8uDZhUyg7vI8dyVbL/c2kZ4lCaB1aamE7PyUa7YLIY+5WBdWk0iYn+CPkp6iiG9GPGKZMAxeSS++jaRgtdzfNhh7Wk8B5PQa7YtB9+lp4ZrrY0gjyHLMqXQlGl69NIbDenyF39voBK1uSrCKoAvQJNF/272MpXJwdXUidXrraNek2Pf1yMEHWESjOquy4pViB/caKa3soYQCF14LEcuY5C5+tjJ/KQVdrxfztb5+FBUGqxwFU+lwQaYl62OUepxuGi0JqMaZ5NB0MiDSPOI5Bg7M3YbFC0O4kGkuVkexEr/9CmNoUlwJW+DzoM4CZrnwph9z0UQyKuji2SNMBGmta8cd7lKcgXUwjyFtbxJDWKUXlqdt7mhgGf0peh0xPEVy6eSA87zATFq5NwclpF5PrFj5e1EzEtSOhZIAkObrUqyWYYRmlo5dYDwd7AJQb2/uH4jQUYvc59Z7J22jTZ+NwDf1EZwQsZctAM+MuuVIWMfwADo/cpQw6nmNmXM+QeZTR8utI9ev49/DUvOzO/NgG7ol/jrHy/zB1j+ljVQe1iQkoO6j44sRHng9GKi

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\rsuserSvc.Proxy.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):161680
                                                                                                                                                                                                                                        Entropy (8bit):6.387775456054314
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:s8epfdvpQgRqGpcbQX68OZluxCPbsHTOzWCZu0wc883O2Ai:s86UgRqPbG68ilux9q4cN3r
                                                                                                                                                                                                                                        MD5:AE985DFC8D6DEC9E2867D092AB022387
                                                                                                                                                                                                                                        SHA1:CA7B34936E4834F2FFCD1B66A4679DC233DFAEC9
                                                                                                                                                                                                                                        SHA-256:0CD86C6339CF193E5995D1C656F7CF52B07C3228F64F31FA4846E0265D932481
                                                                                                                                                                                                                                        SHA-512:467CFF2C47542957B7ADE4926B373888FBC0AFCE539A3C4455DF4539A65D1E88AACF5E234740532D4EAF1622E0D938883BBFD15B807FFB19479A4C482B946A84
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\ReasonLabs\EPP\rsuserSvc.Proxy.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....9.............!..0..0..........NO... ...`....@.. ....................................`..................................O..K....`...............:...=...........N............................................... ............... ..H............text...T/... ...0.................. ..`.rsrc........`.......2..............@..@.reloc...............8..............@..B................0O......H....... h..................`I..,N.......................................(M...(C...*.0.............*.0.............*.0.............*.0.............*.0.............*......}.l..c.....0.............*A...........}...........(.......*....0.............*...........=(.......*....0.............*........u...(.......*....0.............*......,.>j..(....0.............*A4......................................*.......(.......*.......*.......*.......*.......*.......*.......*.......*.......

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\rsuserSvc.RPC.JSONInterface.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):279952
                                                                                                                                                                                                                                        Entropy (8bit):7.1738014863149155
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:EvYlyhogKpcZSqza+9y7/vIL4ad5MYWD0nrfx:bTgScZSq4ILLMYZx
                                                                                                                                                                                                                                        MD5:43D54D284A55289A077CA919DEA944AD
                                                                                                                                                                                                                                        SHA1:AC09A864846C82C23BF6134A80E6241CBEF2997E
                                                                                                                                                                                                                                        SHA-256:DA00C48CCD55D5F6A173E13E352C459AD2D557B5FEB671E063DD3057D42005DD
                                                                                                                                                                                                                                        SHA-512:E4C50AEB2D5986AADB5557B7C709D8DF5C3230765C061E080587CCD419F51EA45BF7EEF33CB6D4A29BA2982E116AFF724C855E9F3B27445FFF2086607F3C5592
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\ReasonLabs\EPP\rsuserSvc.RPC.JSONInterface.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f...........!................>.... ... ....@.. .......................`............@.....................................K.... ...................=...@....................................................... ............... ..H............text...D.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................ .......H........x...............S......i........................................(....(....*.0.............*.0.............*.0.............*.0.............*.0.............*....*....0.............*....*.......*....0.............*.0.............*....*....0.............*....*....0.............*.0.............*.0.............*....*....0.............*.0.............*.0.............*....*....0.............*.0.............*.0.............*.0.............*.0.............*.0.............*.0..

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\rsuserSvc.RPC.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):188304
                                                                                                                                                                                                                                        Entropy (8bit):6.499849762511875
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:q5v52nVxq1TDHlPsC2OdKMMKvl6vD7I1iCv3/jDxHmrEDZjqDsZ6vKuWdEAIxAh+:ov52nVyTDHlPnrgMMKcDYiCv3/jDxHmN
                                                                                                                                                                                                                                        MD5:A74BC3E492BD95D9A036D6CD188AAEDE
                                                                                                                                                                                                                                        SHA1:851C8F72BD5D5D5836FF6AE8B00AB79270370605
                                                                                                                                                                                                                                        SHA-256:188F6FD6DD840A11C6467BFF98520DD926E0F626FD3BFE038CE551BC62DA0066
                                                                                                                                                                                                                                        SHA-512:B714DACBBE3C6C261520169D85086683C036471DD510122B00676AC25FAC59A938C702C95BD2CDD829D48E6F850AC196AC1C5DA8D0A96F54C991445A4C05CCBA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\ReasonLabs\EPP\rsuserSvc.RPC.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................!..0.................. ........@.. ....................................`.....................................K.......t................=..........[................................................ ............... ..H............text........ ...................... ..`.rsrc...t...........................@..@.reloc..............................@..B.......................H........v..0...........(O...c..........................................(....(....*:+.(.I4.(....*..0.............*.0.............*....*....0.............*....*...".......*....0.................*....*.......*.......*.......*...B(....(....(....*.......*.......*.......*.......*.......*.......*...".......*.......*.......*.......*.......*.......*....0.............*.0.............*.0.............*B(....(n...(o...*.......*.......*.......*.......*....0.............*.0.............*

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\rsuserSvc.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):331152
                                                                                                                                                                                                                                        Entropy (8bit):7.0755042590697474
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:yttSX8+sSF0jsc3UvFN5T3FcQg9bRkg3Kit5afJSawbV9RC9Lp:yAo3KFNNdg9bq+asV9m
                                                                                                                                                                                                                                        MD5:020402475FCEAC13F6DF2037FADAD1FC
                                                                                                                                                                                                                                        SHA1:7AA31B7ECD3858F77D3AC0794865CA7DE291C197
                                                                                                                                                                                                                                        SHA-256:4A120C77A4A297EA9A28FD28E79EB63266201D9F45DDAEB606B3597CA2D3F005
                                                                                                                                                                                                                                        SHA-512:D0AEA0DF7F13DFCA7A1D10F2F7DEC3702C9F3C598ED0556F9CD9CECAF1D6129B00A16065C13ED72B0BFA735B58B358649F3F63C655F294ED92C68E14840C2ECD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\ReasonLabs\EPP\rsuserSvc.exe, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....................0.................. ........@.. .......................@............`.....................................K.......$................=... ......f................................................ ............... ..H............text........ ...................... ..`.rsrc...$...........................@..@.reloc....... ......................@..B........................H...........hO.......... ................................................(....(....*:+.(.%W7.(....*..0.............*A4......................D...............!...............*....0.............*.0.................*.0.............*A4......`...h...............................Z........0.............*.0.............*A.......k...$................0.............*A.......#...r................0.............*A............................0.............*A............................0......

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\rsuserSvc.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):18070
                                                                                                                                                                                                                                        Entropy (8bit):4.992549577385435
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:hrkUwfx0GReGWeGFuGgeKCUDuTeHOTu0U5e3eTOaUmS0SXStuKhubUfSJeZedUaw:hrU5PUDRTHffIz
                                                                                                                                                                                                                                        MD5:5EF4DC031D352D4CDCEFAF5B37A4843B
                                                                                                                                                                                                                                        SHA1:128285EC63297232B5109587DC97B7C3EBD500A6
                                                                                                                                                                                                                                        SHA-256:4B094B7BD38E5BF01900E468DDD545B42369AE510EC2366427804A57DA5013A7
                                                                                                                                                                                                                                        SHA-512:38B0444E4F07AD0B50891E2B0DA6374B0033CB9656A4918E9EAAE34E381D95671978D19ABBCF2B8FDB079921B85E20DBE2C4392B15984CE6051B48B4A05A172F
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="System.ValueTuple" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0" />.. </dependentAssembly>.. </assemblyBinding>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.InteropServices.RuntimeInformation" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.2.0" newVersion="4.0.2.0" />.. </dependentAssembly>.. </assemblyBinding>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="System.Collectio

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\rsExtensionHost.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):146840
                                                                                                                                                                                                                                        Entropy (8bit):6.28607906357083
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:yHK4ZnPZnBtbTzYSFOgewYgqE4uXM4/9l:AK4ZPlBtbTzYSFOgo4/
                                                                                                                                                                                                                                        MD5:249747A3BE3764F08146EF9328CA2C8D
                                                                                                                                                                                                                                        SHA1:A1B68F69D11300DBF8EB5BDD575FD21C2E26CD42
                                                                                                                                                                                                                                        SHA-256:85D889524E0CB67FF644756AD9EA9F88AC84ABDC03CF3B31FF544A389462A253
                                                                                                                                                                                                                                        SHA-512:CFE056CE78DA5ED7A76450160FE236C6C830DAC6AA5C0DAA9833B5225A9018F756760E0DA9A869B05BC1EBF2360BC60CB46C60BC27EF6833701FECB858C5CCCB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\ReasonLabs\EPP\rsExtensionHost.exe, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....$................0.............>.... ... ....@.. .......................`............`.....................................K.... ...................=...@....................................................... ............... ..H............text...D.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................ .......H.......|`...y......H...,....6..!........................................(....(w...*.0.............*....*....0.............*....*....0.............*....*.......*....0..s.......(.... ........8........E....%.../...J...8 ...~......... .....:....& ....8....(....8....(.... .....9....& ....8....*.....*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*....0.............*.0.............*.0.............*............/....0..

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\rsExtensionHost.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):18070
                                                                                                                                                                                                                                        Entropy (8bit):4.992549577385435
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:hrkUwfx0GReGWeGFuGgeKCUDuTeHOTu0U5e3eTOaUmS0SXStuKhubUfSJeZedUaw:hrU5PUDRTHffIz
                                                                                                                                                                                                                                        MD5:5EF4DC031D352D4CDCEFAF5B37A4843B
                                                                                                                                                                                                                                        SHA1:128285EC63297232B5109587DC97B7C3EBD500A6
                                                                                                                                                                                                                                        SHA-256:4B094B7BD38E5BF01900E468DDD545B42369AE510EC2366427804A57DA5013A7
                                                                                                                                                                                                                                        SHA-512:38B0444E4F07AD0B50891E2B0DA6374B0033CB9656A4918E9EAAE34E381D95671978D19ABBCF2B8FDB079921B85E20DBE2C4392B15984CE6051B48B4A05A172F
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="System.ValueTuple" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0" />.. </dependentAssembly>.. </assemblyBinding>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.InteropServices.RuntimeInformation" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.2.0" newVersion="4.0.2.0" />.. </dependentAssembly>.. </assemblyBinding>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="System.Collectio

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\rsFrame.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):22416
                                                                                                                                                                                                                                        Entropy (8bit):6.860600457777828
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:aYzPTJH3h8Eq7rjb8vU8vMXa/rl9qX2Ip4GZ/aqjdAA1m5wM6guw9Qntee:aYztH3h8EqEXuKrLy2Ip4Goqxf1ml67n
                                                                                                                                                                                                                                        MD5:38757B032B591C9E653B594E1C00ACC0
                                                                                                                                                                                                                                        SHA1:2D84D7551C478E2AF8E05FD11AAD538EC6144010
                                                                                                                                                                                                                                        SHA-256:6D978AC247C7AFDFE52AC7010217F4FA4641ECF8365DEF11A1C1EA68DB2F7CB5
                                                                                                                                                                                                                                        SHA-512:17DE068554C20D3EAE6D7E498B4B71A7CC8A92E8284AD51C993B597F3E6799A41B978EE01CDC07316C23D8F339419302EB6C512F059E44C1F95FD5C4075D3023
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.............".... ...@....... ...................................`..................................-..O....@..H................=...`......D-..8............................................ ............... ..H............text...(.... ...................... ..`.rsrc...H....@......................@..@.reloc.......`......................@..B........................H.......H$...............................................................0..t..........(.....0...R......*.-...R......*. ....j5...6.r...ps....z.i.................Yo.......1...X...1...2.....s....z..R..*.0..E.........i..,-.j%(.......X..........(.......o........o....*..(........o....*..(....*....0..^........~....7T.~....7J.~....7@.~....76.~....7,.~....7".~....7..~....7..~....7...*..*.*.*.*.*.*.*.*.*...0..B........(............T...J...XT....j_ ....j`...d%..-...J.Y.....%G.._.R.*..

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\rsHelper.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):139664
                                                                                                                                                                                                                                        Entropy (8bit):6.209369401653978
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:EhHwtBCn8Y/4Th6N6sIZUjGaTZWVbXQtgM:GnNchDbZUyPa
                                                                                                                                                                                                                                        MD5:2CB5FB65A56968C4DCDAA10B9AC1FC6F
                                                                                                                                                                                                                                        SHA1:7E348E845C21CB6E7334C4EE10A7C42431B98B15
                                                                                                                                                                                                                                        SHA-256:5FE5B4DED0B0E1DE6595D567EDDD46182E36F26F1FDA77259DBEEF7F3D8EE65A
                                                                                                                                                                                                                                        SHA-512:68E6FED1BA34E31CC75AE2C9F24C2EAAC6BE27C832AB6C2EFEF8DC652FEA2182432010BC4ED715AD8A8D889D5604EBAEE809E827698116E3B919355B838BAF46
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\ReasonLabs\EPP\rsHelper.exe, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....?...............0.................. ........@.. .......................@.......N....`.....................................K........................=... ......Q................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H........]..,q......-...8....&...........................................(b...(....*:+.(..:n.(X...*..0.............*.0.............*.0.............*.0.............*.0.............*....*....0.............*......1..B.5.....0.............*......-....:........*....0.............*.0.............*....*....0.............*.0..........(b... ........8........E....B.......+.......8=...~.........8....*(,... .....:....&8.......... .....9....&8....(+... .....9....&8........*.......*.......

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\rsHelper.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):18070
                                                                                                                                                                                                                                        Entropy (8bit):4.992549577385435
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:hrkUwfx0GReGWeGFuGgeKCUDuTeHOTu0U5e3eTOaUmS0SXStuKhubUfSJeZedUaw:hrU5PUDRTHffIz
                                                                                                                                                                                                                                        MD5:5EF4DC031D352D4CDCEFAF5B37A4843B
                                                                                                                                                                                                                                        SHA1:128285EC63297232B5109587DC97B7C3EBD500A6
                                                                                                                                                                                                                                        SHA-256:4B094B7BD38E5BF01900E468DDD545B42369AE510EC2366427804A57DA5013A7
                                                                                                                                                                                                                                        SHA-512:38B0444E4F07AD0B50891E2B0DA6374B0033CB9656A4918E9EAAE34E381D95671978D19ABBCF2B8FDB079921B85E20DBE2C4392B15984CE6051B48B4A05A172F
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="System.ValueTuple" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0" />.. </dependentAssembly>.. </assemblyBinding>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.InteropServices.RuntimeInformation" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.2.0" newVersion="4.0.2.0" />.. </dependentAssembly>.. </assemblyBinding>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="System.Collectio

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\rsJSON.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):225168
                                                                                                                                                                                                                                        Entropy (8bit):6.780174292328908
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:c7IEMtFMZZi+Ng9999994f9oMlnhcNx3BnG:EZi/MlevBG
                                                                                                                                                                                                                                        MD5:D43100225A3F78936CA012047A215559
                                                                                                                                                                                                                                        SHA1:C68013C5F929FE098A57870553C3204FD9617904
                                                                                                                                                                                                                                        SHA-256:CC5EA6C9C8A14C48A20715B6B3631CBF42F73B41B87D1FBB0462738FF80DC01A
                                                                                                                                                                                                                                        SHA-512:9633992A07EA61A9D7ACD0723DBD715DBD384E01E268131DF0534BCDFCD92F12E3DECC76AA870EA4786314C0B939B41C5F9E591A18C4D9D0BAD069F30ACD833E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\ReasonLabs\EPP\rsJSON.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...3..............!..0..(..........nG... ...`....@.. ..............................=.....`................................. G..K....`..D............2...=...........F............................................... ............... ..H............text...t'... ...(.................. ..`.rsrc...D....`.......*..............@..@.reloc...............0..............@..B................PG......H....... ...P...........p\......_F.......................................(....(....*:+.(.N.R.(....*..0.............*A...................:........0.............*B(....(....(....*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*....0.............*....*.......*....0.............*....*....0.............*.................0.............*....................

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\rsLitmus.A.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):111512
                                                                                                                                                                                                                                        Entropy (8bit):6.291243949141146
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:hfL+72PsK9Qd/RpgyxMkJfjQmMCdwMzTV+:hCqkK2/Rp5DzTV
                                                                                                                                                                                                                                        MD5:83E844B02F404E472071A874E66F96A3
                                                                                                                                                                                                                                        SHA1:70FC67BA4D3CC88A2AB8EC2EF06413FEDD664C39
                                                                                                                                                                                                                                        SHA-256:EF58450E7775BA70C11DDDEACD3EBD857A87DA7EA3918ACBDEDD6FAAA1875DA7
                                                                                                                                                                                                                                        SHA-512:3010F537848D5C0B6364CFC18BA6C08016D3F8CB5DAFDE4BC935AD3B4509642AA73671E8C099296559046EACC8108EA0990CAF5A93DBAAF09B8362F9467FFDAF
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Lq..-..-..-...E..-...E..-...E...-...X..-...X..-...X..-...E..-..-...-..;X..-..;X..-..;X..-..Rich.-..........................PE..d......b.........."............................@.............................................................................................V..(...............t....v...=......8....E..p...........................@F..8............... ............................text............................... ..`.rdata..V...........................@..@.data........`.......R..............@....pdata..t............\..............@..@_RDATA...............j..............@..@.rsrc................l..............@..@.reloc..8............n..............@..B................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\rsLitmus.S.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):105456
                                                                                                                                                                                                                                        Entropy (8bit):6.166230469207198
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:8fL+72PsK9Qd/RpgyxMkJfjQmMCdwMzTVK:8CqkK2/Rp5DzTVK
                                                                                                                                                                                                                                        MD5:7C97046701CB82E4E409DF20AF386275
                                                                                                                                                                                                                                        SHA1:051267E447CF42B2ECA5F695526F18ADD1CCF3E4
                                                                                                                                                                                                                                        SHA-256:38CA46547C8C7C5C0C8E394EA355A03C26A08ADB63B39FC95AA5461B5321DA7C
                                                                                                                                                                                                                                        SHA-512:22E2CFBDA6E47D62E0F87535F4F61ECC67408EFDF020C41A29993BD80FAC9CC40D4513708C0BC96CBAA0D70686BBBD2D7CB1FBB95BD273937159D6516452B691
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Lq..-..-..-...E..-...E..-...E...-...X..-...X..-...X..-...E..-..-...-..;X..-..;X..-..;X..-..Rich.-..........................PE..d......b.........."............................@.............................................................................................V..(...............t....v...%......8....E..p...........................@F..8............... ............................text............................... ..`.rdata..V...........................@..@.data........`.......R..............@....pdata..t............\..............@..@_RDATA...............j..............@..@.rsrc................l..............@..@.reloc..8............n..............@..B................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\rsLogger.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):183696
                                                                                                                                                                                                                                        Entropy (8bit):6.5543556606749345
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:CUy/CR6dEfViQ+7gLmiEw/zrQUTkkySNP0dbNIprWZH:Dy/CVQILmil/zrQV2YbNGc
                                                                                                                                                                                                                                        MD5:B279550F2557481AE48E257F0964AE29
                                                                                                                                                                                                                                        SHA1:53BEF04258321CA30A6D36A7D3523032E3087A3E
                                                                                                                                                                                                                                        SHA-256:13FE4A20114CDF8CD3BBA42EEAABE8D49BE0B03EEC423F530C890463014CCAAA
                                                                                                                                                                                                                                        SHA-512:F603CBAC1F55AD4DE7A561A1D9C27E33E36DE00F09A18FF956456AFEC958F3E777277DB74F0B25C6467E765D39175AA4FCDD38E87A3D666B608D983ACB9321CD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\ReasonLabs\EPP\rsLogger.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...oe.............!..0.................. ........@.. ...............................%....`.................................P...K.......P................=........................................................... ............... ..H............text........ ...................... ..`.rsrc...P...........................@..@.reloc..............................@..B........................H........s..d...........t".. ............................................(....(}...*".......*....0.............*.0.............*.0.............*....*.......*.......*.......*.......*....0.............*.0.............*....*....0.............*.................0.............*.................0.............*.................0.............*........00.......0.............*.................0.............*........00.......0.............*.................0.............*........00......

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\rsRemediation.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):138640
                                                                                                                                                                                                                                        Entropy (8bit):6.143614645047404
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:jSIiHzp2tv/r/sGhQpSaHE6mVTp2/rLgq3:eOtyNXmaDz
                                                                                                                                                                                                                                        MD5:4A9790277ACB9076A83231EDFB2EA0D3
                                                                                                                                                                                                                                        SHA1:7D9C1B4B903E8ED84E77CB84786D21A47FC2F419
                                                                                                                                                                                                                                        SHA-256:337F001F77FB8C12A2137250B6FB2E80D7AD43CA02344ACCE24B257FE3413845
                                                                                                                                                                                                                                        SHA-512:39D9C2F13E78A14DA4A65D830B567153DFC53B167569C0AF5ECDA617957224EF783A33A4D8858A09ABE5FEB33BA39AAEF9BB96C2FB8F560750F9EA309B9398F0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\ReasonLabs\EPP\rsRemediation.exe, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...%.................0.............n.... ........@.. .......................@............`................................. ...K........................=... ....................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B................P.......H........e...k..................L........................................(H...(....*:+.(..M2.(>...*..0..J.......+.( .-m ........8........E....x...................8...............t...........g...&...l...@...M.......8s....*(.... ....(B...#.......?(.........o.... ....8{.... D...(B...(....(...+:z... ....(....:R...&8H.....:.... ....8;..........s....(....*. ....(B...(....(...+9.... ....8....8R... ....8....(....9.... ....8......*. ....(B...(....(...+96...8..... ....(B...(....(...+9.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\rsRemediation.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):532
                                                                                                                                                                                                                                        Entropy (8bit):5.071669869884946
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:TMHdG3VOcrL59LNFF7ap+5EPf/2/+ZS9FicYo4xT:2dErvPF7NEPH2/+w39y
                                                                                                                                                                                                                                        MD5:801C6F8CE1CA9EAC249D7CD896E49649
                                                                                                                                                                                                                                        SHA1:6C39302A125ED0D5B4E7FAB0F04231264B5E59FE
                                                                                                                                                                                                                                        SHA-256:30F7E43D8512DE6CD64FAA58F6AD86046DA331E979AB4AF38F57BE57F7469EBD
                                                                                                                                                                                                                                        SHA-512:CC310126D9FE3857ED7F335400C11749911611EE782C172426F31ED7B6B7B3921C53BBFA5FEAB3BF1B0637A53581ACA231A7ED144D77F7B0237C77E4096F4D76
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.6.2" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="System.ValueTuple" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\rsServiceController.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):179088
                                                                                                                                                                                                                                        Entropy (8bit):6.563064733631268
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:nT9nvidN3G9nZm4feQPMYGQh5AB9vaTiYuzdNd6iB6KA5vY:nT9nvDB75Fq91dNd6iB6K3
                                                                                                                                                                                                                                        MD5:D0779008BA2DC5ABA2393F95435A6E8D
                                                                                                                                                                                                                                        SHA1:14CCD0D7B6128CF11C58F15918B2598C5FEFE503
                                                                                                                                                                                                                                        SHA-256:E74A387B85EE4346B983630B571D241749224D51B81B607F88F6F77559F9CB05
                                                                                                                                                                                                                                        SHA-512:931EDD82977E9A58C6669287B38C1B782736574DB88DAD0CC6E0D722C6E810822B3CBE5689647A8A6F2B3692D0C348EB063E17ABFA5580A66B17552C30176426
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\ReasonLabs\EPP\rsServiceController.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...2.C............!..0..t.............. ........@.. ....................................`.....................................K....................~...=..........A................................................ ............... ..H............text....r... ...t.................. ..`.rsrc................v..............@..@.reloc...............|..............@..B........................H........q..<...........$................................................(....(....*.0.............*A...........(...;...:........0.............*.................0.............*.0.............*......,....5.....0.............*......L..6.:.....0.............*AL..................Y.......................^...............~................0.............*......T..".......0.............*.0.............*.0.............*A.......C...........c.......B(....(....(5...*.......*.......*.......

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\rsTime.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):21912
                                                                                                                                                                                                                                        Entropy (8bit):6.9091747171109255
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:+YZv554sAHo3T8Vfrjb8vU8vMXa/rl9qX2Ip4XRpOKqjdAA1m5wMPhzmufdQKNN0:+Yr9P3T8VYXuKrLy2Ip4BBqxf1mlZxfI
                                                                                                                                                                                                                                        MD5:4B51ED9B4949E8219B0F0CD87860F55D
                                                                                                                                                                                                                                        SHA1:59345A28D262A90E1DB3C5C64BA8882B497DEFED
                                                                                                                                                                                                                                        SHA-256:5AC625AF17D6E9AF8FCDFF7EEAE082ABBFE8DD11C913BBF6DF277D2063AF6B79
                                                                                                                                                                                                                                        SHA-512:B94160671359DDF880ECA920E78F1E33823655D417EA2E5F84D8C661F8AF3D7130EFEB8058E623AFFC8ADCBF91B2419E34F524E5FD390DEE194E8276E3AFDB0D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$ k..........." ..0.............~,... ...@....... .............................. .....`.................................,,..O....@..H................=...`.......+..8............................................ ............... ..H............text........ ...................... ..`.rsrc...H....@......................@..@.reloc.......`......................@..B................`,......H.......l"..8............................................................0..E.........(.........(........(....(......,...(....+...(.....#.........(....j*....0..2........(.......j1..,....l(....+....l(.......3...(......*2(.....(....*J ...........s....*...0..|.........(....,....j...(.........(...._,..........*.(...........(............(...._-&......(....-..........*...(....Ys....*.js....*.0............j/..j*.(......./...Y*.j*...0..|.........(....,....j...(.........(...._,.......

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\rsWSC.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):208440
                                                                                                                                                                                                                                        Entropy (8bit):6.668432898850694
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:JelSSyM0edH6EPcfkUlpOepc4b6SBw8b+tjzyXOjnBYJwdkJjd/PgxCcxqE:6SSl08EfkUlnp96Sa2u/yuBpdclLu
                                                                                                                                                                                                                                        MD5:103F5F469E0D03308B4D8A18C2AD9B3B
                                                                                                                                                                                                                                        SHA1:C380199A6FEDC9B1B6638DB1264FB05818155F40
                                                                                                                                                                                                                                        SHA-256:2BF7C8A5421BD74EAE8EDE15328C0C39A4DDF524149DEE0521372FAFDD2F8812
                                                                                                                                                                                                                                        SHA-512:608DFA389729EE6F4FFF1197EEE15E2359F288937E1CBC9B044CF9ABF7DE06B5D135A2A4A8C5BE558AD2593CB5ABC0C93B14CEC37DD58D2682A2234D0D1D1DEE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\ReasonLabs\EPP\rsWSC.exe, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0R...............0..~............... ........@.. ..............................q7......................................`...K.......l...............8..........."................................................ ............... ..H............text....}... ...~.................. ..`.rsrc...l...........................@..@.reloc..............................@..B........................H..................=....<..2^...........................................(k...(....*:+.(.^K5.(a...*..0.............*.0.............*.0.............*....*....0.............*.(k...(....*....*.......*.......*.......*.......*.......*.......*.......*.......*....0.............*......Y....44.....Y....95....0.............*AL..........E...M...8...4...........E.......8...7...........E.......8...5....0.............*Ad..................:...5...........~.......=...4...........~.......8...

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\rsWSCClient.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):167824
                                                                                                                                                                                                                                        Entropy (8bit):6.476855847425372
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:U2kniFpIq4pOYs2sMR0i4xcHlyMTz4cU2bf3CLkPUWv2h/0:xkniRQOYs2jRr4xcr3ELkPUYv
                                                                                                                                                                                                                                        MD5:A04DF84F43FB575865C8D6E9CEBA269F
                                                                                                                                                                                                                                        SHA1:D8C48AF44AE4B53A512F1E50A8037AFA5632B711
                                                                                                                                                                                                                                        SHA-256:9BDB2EFD3109A21C4A0250B0BB2369D46E3E0C812A7F0A9F139FBDD33D7DDDDE
                                                                                                                                                                                                                                        SHA-512:C359DFF59892913EF5439E0540FA19A8188CF60D4D093C82C215B720C9E85749C0E16F4400F3F2BD2F35E8B31216D9AC450E2756FCF7DCD69FEA7543DC43894B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\ReasonLabs\EPP\rsWSCClient.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................!..0..H..........>f... ........@.. ....................................`..................................e..K.......\............R...=...........e............................................... ............... ..H............text...DF... ...H.................. ..`.rsrc...\............J..............@..@.reloc...............P..............@..B................ f......H........l..L...........X....i..!e.......................................(....(....*:+.(...W.(....*..0.............*....*....0.............*.(......E.........l.p..c......^..?.......0.............*....*....0.............*A...................}........0.............*.0.............*........t...".......t..}.....0.............*.0.............*......$.k..}....B(....(....(....*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*...

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\ui\EPP.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2284944
                                                                                                                                                                                                                                        Entropy (8bit):2.0553524246903465
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:tWaGrR1sGXh2YGmO+OB69vV7GVrKEu1GeBv1L8aIGCsCMlzN:tWaGrQGXhZ7OS9vV7G5cuhKlh
                                                                                                                                                                                                                                        MD5:DEFBB0A0D6B7718A9B0EAF5E7894A4B0
                                                                                                                                                                                                                                        SHA1:0495A5ECCD8690FAC8810178117BF86EA366C8C3
                                                                                                                                                                                                                                        SHA-256:C3D2F7E0AD6FD26578595FB3F7C2B202AB6FBA595D32DFA5C764922145DB0788
                                                                                                                                                                                                                                        SHA-512:55DAB7AE748A668A2BB57DEB6FBFF07E6056D97B6F88850890610AC135B8839D3C61F4DC505D3F32CC09A3FF2CE80CE663D0C830F9F399367DC03C92EA7CA89A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........I...I...I.......L..............C.......Y.......@.......b.......H.......L...I...........H.....E.H.......H...RichI...........................PE..d......f.........."......H...T!.....PJ.........@..............................#......."...`.....................................................<....`.... ..0..X....."..=....".t.......p........................... ...8............`..h............................text....F.......H.................. ..`.rdata.......`.......L..............@..@.data...............................@....pdata..X....0......................@..@_RDATA.......P......................@..@.rsrc..... ..`.... .................@..@.reloc..t.....".......".............@..B........................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\ui\app.asar

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):18307712
                                                                                                                                                                                                                                        Entropy (8bit):6.715259312899792
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:98304:s+S6VW73oPu9JH2yKF718eBEUuVO2iV0mkPF6F5iyNbQ0/ydc:9S6fdbB2UEiV2P0IIkc
                                                                                                                                                                                                                                        MD5:F535205A21E45B97AD7954EDD69D4A77
                                                                                                                                                                                                                                        SHA1:686D41274A5F1E9265B627E6677176871B09DBE8
                                                                                                                                                                                                                                        SHA-256:DBA6D7EABEAD3E8B3860661A51C16195411A3278D8780F05CFA49EDC37BF542F
                                                                                                                                                                                                                                        SHA-512:36F126EBB7860EBC43F9F0FA9F3C92A30B6A69A725944E4A67AA39DB7D1B63BF90AA3F5E9D453F4B52B767CE7E17B89904495E2CF096B4C33D45D0EFB0A826B2
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:....P...L...F...{"files":{"asset-manifest.json":{"size":20736,"offset":"0","integrity":{"algorithm":"SHA256","hash":"26da899f6e5ac51f7092ea0fc44356dd4f911b8dce11c2848110711243a05127","blockSize":4194304,"blocks":["26da899f6e5ac51f7092ea0fc44356dd4f911b8dce11c2848110711243a05127"]}},"electron":{"files":{"assets":{"files":{"icon.ico":{"size":2127654,"offset":"20736","integrity":{"algorithm":"SHA256","hash":"b79838b15a988ea1aaaead3ba1353d54085cc76008489fb42f614e96f8b46aab","blockSize":4194304,"blocks":["b79838b15a988ea1aaaead3ba1353d54085cc76008489fb42f614e96f8b46aab"]}},"tray_icon_notification.ico":{"size":16836,"offset":"2148390","integrity":{"algorithm":"SHA256","hash":"195607d97318343d29f77215740adce9a8029f7944db37f912a4b1b2290f115e","blockSize":4194304,"blocks":["195607d97318343d29f77215740adce9a8029f7944db37f912a4b1b2290f115e"]}},"tray_icon_rtp.ico":{"size":28078,"offset":"2165226","integrity":{"algorithm":"SHA256","hash":"ac1878c446d7434ad43262739b23085830a9bd4c67864ea0fc57228ea218

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\ui\app.asar.sig

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (684)
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):685
                                                                                                                                                                                                                                        Entropy (8bit):5.94066578112315
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:bOx3d4V7jt5jPGO32GXsdsQMyK5oL9dabvmgN61owaM6knFG:bOFdKjt5juO32GXsjEoL6b+bGM6knM
                                                                                                                                                                                                                                        MD5:7B95CFD94942E6805CD1653D4D8ECF40
                                                                                                                                                                                                                                        SHA1:5E2473A5216692ACC2B18879C267D86316AE80EC
                                                                                                                                                                                                                                        SHA-256:0315B4FA5297A8D183575E5455C223CF3375B06CC050623A928A5737C22CC516
                                                                                                                                                                                                                                        SHA-512:351C1016C5EAFF50B71145407F2E1F79B7097811033C64730F9FA026DD18711BD0287A47F8761144E03954C23610B573F6FCD50C00425DA46691C1D84A94F8E0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:qEWLA1WgGB+TDOvE2D5DLLbponcO+yF0kabTvGe/lHa+duv+Nbz9CMjVKgGU94eKOdkXscrjcrwEAImu1h8duQj84+XSLGSwMbxTbf1c+H6uzyPzK1mebDpM2VBylXVtS5raLyG37VlzIimcFn1dVUEih3FUmH+S+GhFoSfeE3yX/JkLpCjZJ7mFthfXaPxVPGN92YdJUB/ksZiXS2M+9tMMlTEcc4Z8MZWcdeTJhsJxSOhT5OLg9azjl7fiIfMtdh/nkyLbE4e9BUotzu7x6xOzNF1mEcTl02Qt4mHqUYxBWJERN8sbolGAxa4fSgNCXoh28KWkjz6DwdvfJ1R9SOaBzc9mrXimmBlBJasV9JJPbrRjN+DFlncKnk/52kQGotWG6Er32YoQJJ1LVawklROWrRtMnwZjLR1bP+WYHKuA4QPdxZ5FLQ2NSwXU97KyH2AINH8W+N28IoFHVAKqFjKNyOmVcD5fLwXuijZlen8SYdXilC7J1dw2GXJ0RrX+XIXFoQgRWxZy7sd2X3NNq0pYikBZ1CEolHv6j0x1mzECv2U7XnfvFURaDgK8YJS4CEqLIRyfqAGJFzaHfFoKAfjgkHmq7Lw78KVm+AjohoZEnlZjSkko1d2AAEbXxqd7sUTxEvmTTBSoYMyHFE5d7F9/cfTSUFA/U1JjloW9Z58=.

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron-core\node_modules\@reasonsoftware\rsbridgenapi\prebuilds\win32-x64\rsBridgeNapi.node

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):204688
                                                                                                                                                                                                                                        Entropy (8bit):6.406610482921894
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:ixa137c+Jw+7mlU6UFyAIJXw9AlbLI+aYroEWOV4iOi:io37c+JwGIApIJA9AlbuJEfb7
                                                                                                                                                                                                                                        MD5:4410956F34F6165E9D38051479EE14BC
                                                                                                                                                                                                                                        SHA1:8ED387043BD967461B1125D1A890A3B33C7D10F4
                                                                                                                                                                                                                                        SHA-256:580A94725F9ED31307A87F596AF25A068473B2639FFABB3BE3B9B840613C0007
                                                                                                                                                                                                                                        SHA-512:86456EE13E0A3A2386FFCBE92AD91106C42AD59035D62BF89FF7099B598BA82B38F2ED43BD066EF81C9A7A469823FB6EA4F008230F84A64732518923BF6461C3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........A... .. .. ..@P.. ..@P.." ..@P.. ...U.. ...U.. ...U.. ..@P.. .. ..+ ...U.. ...U.. ...U1. ...U.. ..Rich. ..........................PE..d...*..b.........." .........................................................@.......Y....`.........................................P...D.......<.... ..........(........=...0.......~..p............................v..8......................@....................text............................... ..`.rdata..............................@..@.data.... ..........................@....pdata..(...........................@..@_RDATA..............................@..@.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\rsbridgenapi\prebuilds\win32-x64\rsBridgeNapi.node

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):204688
                                                                                                                                                                                                                                        Entropy (8bit):6.406357870733198
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:Vxa137c+Jw+7mlU6UFyAIJXw9AlbLI+aYroEWOV4i8h:Vo37c+JwGIApIJA9AlbuJEfbS
                                                                                                                                                                                                                                        MD5:E9CFFAEBCB1A05B86BAAD88FED5B1F07
                                                                                                                                                                                                                                        SHA1:7B421650F1D4D79BAB2ACDCAD87FD1894C0B6645
                                                                                                                                                                                                                                        SHA-256:5FEE9B133ABFCFC09CC9D8236BF6C620999A5FCA00F5643BD49066336E58601D
                                                                                                                                                                                                                                        SHA-512:7540AFFAF39AA18B14AB9942FA6FB2C704A5CA59A753479391B3136731E0B51E3A9B1F507200E568BCF921DDF1ED06ACC17F89F7DAC1D963F1CDE97C0BF70357
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........A... .. .. ..@P.. ..@P.." ..@P.. ...U.. ...U.. ...U.. ..@P.. .. ..+ ...U.. ...U.. ...U1. ...U.. ..Rich. ..........................PE..d...*..b.........." .........................................................@......h.....`.........................................P...D.......<.... ..........(........=...0.......~..p............................v..8......................@....................text............................... ..`.rdata..............................@..@.data.... ..........................@....pdata..(...........................@..@_RDATA..............................@..@.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state\prebuilds\win32-x64\node.napi.node

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):125336
                                                                                                                                                                                                                                        Entropy (8bit):6.271682919678411
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:i+rSugvaDzJGezUUSBxlezTESfWwjbE42qyGHzdHKcQsWydp9dlsc2Xd/9jfInfz:i+rSu15XslsTEMPs42qyqKaB+clr
                                                                                                                                                                                                                                        MD5:CFF2B51C43B91610FCD81352CC54332D
                                                                                                                                                                                                                                        SHA1:412DEE97ADDF4E25A76A3B7417340F27019F67B5
                                                                                                                                                                                                                                        SHA-256:DC95A4E849BBAF96E55172F08E070F9E1ACF5E1B772BB84098AE2AF8DA9C97BE
                                                                                                                                                                                                                                        SHA-512:7C5379909B985EA201A068AEDB3052B1AA02DA7FC83CBF59ED053567AFB0E6D0048E7EE1F7F54232B029C6114C339B7AC015B21269715D901AE83D19CDC5956B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............N..N..N...O..N...Ol.N...O..N...O..N...O..N...O..N...O..N..N..NS..O..NS..O..NS.eN..NS..O..NRich..N................PE..d.....a.........." ................................................................7.....`.............................................h.......<........................=......d...P{..p...........................0x..8...................T...@....................text...@........................... ..`.rdata..z...........................@..@.data...............................@....pdata..............................@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..d...........................@..B................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\uninstall.ico

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:MS Windows icon resource - 9 icons, 16x16, 32 bits/pixel, 24x24, 32 bits/pixel
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):174592
                                                                                                                                                                                                                                        Entropy (8bit):3.1176056240139736
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:URqHi9xDnRbDPi6ag9rucqkerzUCgIMSfZHqdefc8+YZ9:SqmpD66h9lqkerzgIPfF+efc+
                                                                                                                                                                                                                                        MD5:AF1C23B1E641E56B3DE26F5F643EB7D9
                                                                                                                                                                                                                                        SHA1:6C23DEB9B7B0C930533FDBEEA0863173D99CF323
                                                                                                                                                                                                                                        SHA-256:0D3A05E1B06403F2130A6E827B1982D2AF0495CDD42DEB180CA0CE4F20DB5058
                                                                                                                                                                                                                                        SHA-512:0C503EC7E83A5BFD59EC8CCC80F6C54412263AFD24835B8B4272A79C440A0C106875B5C3B9A521A937F0615EB4F112D1D6826948AD5FB6FD173C5C51CB7168F4
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:............ .h............. ......... .... .........00.... ..%......@@.... .(B...D..HH.... ..T......``.... ............... .(....p........ ..1..Vx..(....... ..... .............................................RRR....n...........e???'..................................................................q...................................................................y....................pppQ...........WWWC........vvvF...........```8............................1116................YYYC...........}.........................................................................................................................................................888,................1116.........................|Z....b...........5551........NNN3...........sssM.....................................................................................0.................................6....................{{{Mzzz....2...W...................M...6.......................0..............X...&...........#~~

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\x64\7z64.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1857424
                                                                                                                                                                                                                                        Entropy (8bit):6.307907308978977
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:M8sHeHKHplfu94i55tbhris2CCEnWaWBvYyozGUIjnRnUO:M8Y/Q94iZNrP2t0ZyyIjnRnUO
                                                                                                                                                                                                                                        MD5:8E5172C235BA4724B433E00C61868AF1
                                                                                                                                                                                                                                        SHA1:48CC7FD0925191B007BFD7ECC4D67CA7A8A0C5BE
                                                                                                                                                                                                                                        SHA-256:978018A106D8CD5E6208A0818E29D426EED5CD721C63F5ECF709CFF5E67A5A92
                                                                                                                                                                                                                                        SHA-512:4C75F1B4B1F3A9002C682C7868B54207830B8E6256C1EF025A7399CD80AC94639478D74AE11892A39D4E8024B32DF9EFB38B5E5367E0F57D95550621D032A821
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s..07.sc7.sc7.scA-.c6.scA-.c<.sc7.rcR.scA-.c.sc!.wb4.scA-.c..sc..pb0.scA-.c6.scA-.c6.scA-.c6.scRich7.sc................PE..d....\.d.........." ................pe...............................................v....`..........................................-.......$..x................1.......=.......!...................................................................................text...]........................... ..`.rdata...^.......`..................@..@.data........0......."..............@....pdata...1.......2...(..............@..@.rsrc................Z..............@..@.reloc...3.......4..................@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\x64\SQLite.Interop.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1647504
                                                                                                                                                                                                                                        Entropy (8bit):6.551024250584096
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:gKBZFqX8TvXzlaPmAA6rKmEOwksSf0WBA:gK3/z0hq
                                                                                                                                                                                                                                        MD5:944763DA4BB3A0B5C453E01C9F7FBDE7
                                                                                                                                                                                                                                        SHA1:B20E426042413C4F78C13B2314CB5A2D5382EFD8
                                                                                                                                                                                                                                        SHA-256:CABB471E498221D91D4B043315503DB083C89AB0D64767568EA00947F3D503EA
                                                                                                                                                                                                                                        SHA-512:911282ED8D94CFAC0843BE5D19CD45820270D28538B678F14B1DF668A6B970CCC76E8BE905E7416FAEF4868A520E337E3AC8AB1FF3485E0183AD77D1EC972DDF
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O..7...d...d...d.i.d...d.i.d...d.i.d(..d0..e...d0..e...d0..e...d..=d...d...d...d...e...d...e...d...d...d...e...dRich...d........PE..d....<.].........." .........J...............................................@.......+....`..........................................V..X1......<.......<................=... ..$.......p............................................................................text............................... ..`.rdata..............................@..@.data....L.......6..................@....pdata..............................@..@.gfids..............................@..@.rsrc...<...........................@..@.reloc..$.... ......................@..B........................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\x64\ext_x64.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):378256
                                                                                                                                                                                                                                        Entropy (8bit):6.322466080830917
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:SBYqz/61Z2lKHQM/QX1ahKrJQRB2XHbV7iFGrwGav4VohWrtdmI:SJ/UIwQM/qo4rGREXH1o8Z
                                                                                                                                                                                                                                        MD5:9392FA350C73DC21ED7FD105BD2C87A4
                                                                                                                                                                                                                                        SHA1:CD643FCDD83AC51E9067891FC2836E66A69CC3FE
                                                                                                                                                                                                                                        SHA-256:61200CEF138D0EB9CEACCDBB275108A7426AD697E0E7AA8CC9BDB4E2664469BB
                                                                                                                                                                                                                                        SHA-512:30769F1EE75D43FDBBE5EC933967CF60AA8626AEF2AEBC5EA4F44048913EB62327FC95C2DC4639843566A6AB3F023599A53ADCA0B553C720A7852B5A3DE923C0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................3~+....3~)....3~(......................Z..........................%..........Rich...................PE..d.....]Y.........." .................`..............................................zI....`......................................... 4.......4..P........................=.............p.......................(...`................................................text............................... ..`.rdata.............................@..@.data....2...@.......&..............@....pdata...........0...@..............@..@.tls.................p..............@....gfids...............r..............@..@.rsrc................v..............@..@.reloc...............x..............@..B........................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\x64\lz4_x64.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):121744
                                                                                                                                                                                                                                        Entropy (8bit):6.292189501903852
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:8vysFz2cyiAtLfc57mfngv6ALQ09tNdUNtDfBv5XvEX6crW:8vy6z2GAtLfcCgv6ALehJcy
                                                                                                                                                                                                                                        MD5:A64F16B745FF24A2A8745C84DC22C7E6
                                                                                                                                                                                                                                        SHA1:389CABB4152CBE81F6BB2BC037082A392078F58B
                                                                                                                                                                                                                                        SHA-256:8F08EAC608D37CC6033FB042A037878058FAF8B764A2BA714A77C3F0649962CD
                                                                                                                                                                                                                                        SHA-512:AD7DF18131E948547E89FCF47B2BC878F9A8454EAC2631CEDD968C7E7EF027052089574FA5EBFAC01E661A3A18D8EE6A96857A126BCB837663A894CB08953069
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L^."..".."...!.."...&.."...'..."...!.."...&.."...'.."...#.."..#..."...+.."...".."......"... ..".Rich.".........................PE..d....HSZ.........." ................D/....................................................`..........................................|..d...$}..(........................=......L....c..p............................d..................(............................text...`........................... ..`.rdata..~...........................@..@.data................x..............@....pdata..............................@..@.rsrc...............................@..@.reloc..L...........................@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\x64\rsCamFilter020502.sys

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):48944
                                                                                                                                                                                                                                        Entropy (8bit):6.755780295147749
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:68vbBtr3uL645Mx5wm9sKN6DRtoQpH3e6n9yEM1didV1VaXLkj3XV13hwOOPO9z4:Hp3uORwOO3/c1dGP0+xnOiz4
                                                                                                                                                                                                                                        MD5:633861D85B60EB7DE2E820F4FAC586E0
                                                                                                                                                                                                                                        SHA1:E5666AECD7B9D97627C4A0FC06D52AEA59D7C37D
                                                                                                                                                                                                                                        SHA-256:8EEBBE6A69D030FF7944524E22126218B6AE8CDB349C97FEEDB83CD0686BBB38
                                                                                                                                                                                                                                        SHA-512:8F26D38ABEF1CA2B365A2B1CC6B2A49C55319C59D790C32EC8D5728596FDDCF9252230C200ABAE4609884CBA3449B3EA778785244330F98C8C21CADF8C921AE1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........'F..tF..tF..tF..tG..t...uC..tF..t...t...uA..t...uN..t...u@..t..*tG..t...uG..tRichF..t................PE..d....<|d.........."....".L.....................@.....................................`....`A................................................t...<.......h....`..`....l..0S......$....D..8...........................`C..@............@..H............................text............0.................. ..h.rdata.......@.......4..............@..H.data...@....P.......B..............@....pdata..`....`.......D..............@..HPAGE....a....p.......H.............. ..`INIT.................V.............. ..b.rsrc...h............d..............@..B.reloc..$............j..............@..B........................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\x64\rsJournal-x64.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):137112
                                                                                                                                                                                                                                        Entropy (8bit):6.283832173307366
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:lOJMZaVYm1tAF3f5tqKhRWmGBASRua3jXKqMVqhcWMsWCdt9dl3RDsp3rpXd/9aY:lOJMucfP9WmSAmNzaqM0hnF9BRDsJV
                                                                                                                                                                                                                                        MD5:295EDB63B00F4CEC93D3BEB456832046
                                                                                                                                                                                                                                        SHA1:393EDE36DB1F934A966981306A4D233A60E0D8D7
                                                                                                                                                                                                                                        SHA-256:3333EF48C525D4B916391D13CBD3E9A0361C725E30B86E17349EBE57B307A4D8
                                                                                                                                                                                                                                        SHA-512:0CE2878BB9107B87E127607885BD35BAC9B2C74C59C6EB9BA4065DC8F0FF6A103979B10A278021CA2FDF5F7258B67C47B52D9D82DEA13969C44FA09B68267EB3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V2.`.S.3.S.3.S.3.!.2.S.3.!.2.S.3.!.2.S.3@&.27S.3@&.2.S.3@&.2.S.3.!.2.S.3.S.3OS.3.&.2.S.3.&.2.S.3.&v3.S.3.S.3.S.3.&.2.S.3Rich.S.3........................PE..d....Ia.........." .........................................................0.......H....`.........................................@..........(.......h................=... ..l.......p...........................p...8............ ..x............................text............................... ..`.rdata..$.... ......................@..@.data...............................@....pdata..............................@..@_RDATA..............................@..@.rsrc...h...........................@..@.reloc..l.... ......................@..B................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\x64\rsKerneluser.inf

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:Windows setup INFormation
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3063
                                                                                                                                                                                                                                        Entropy (8bit):5.014088126389475
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:utXfcDLNthOyA9Bd8WMv/EhtF/qi/Oaucosld2dVBBiBklmP55I4kYlIRF7osFrr:uNfcDLNPOyALd81v+tVR/qlPsBklA5IL
                                                                                                                                                                                                                                        MD5:E8EF8570898C8ED883B4F9354D8207AE
                                                                                                                                                                                                                                        SHA1:5CC645EF9926FD6A3E85DBC87D62E7D62AB8246D
                                                                                                                                                                                                                                        SHA-256:EDC8579DEA9FAF89275F0A0BABEA442ED1C6DCC7B4F436424E6E495C6805D988
                                                                                                                                                                                                                                        SHA-512:971DD20773288C7D68FB19B39F9F5ED4AF15868BA564814199D149C32F6E16F1FD3DA05DE0F3C2ADA02C0F3D1FF665B1B7D13CE91D2164E01B77CE1A125DE397
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:;;;..;;; rsKerneluser..;;;..;;;..;;; Copyright (c) Microsoft Corporation..;;;....[Version]..Signature = "$Windows NT$"..Class = "ContentScreener" ;This is determined by the work this filter driver does..ClassGuid = {3e3f0674-c83c-4558-bb26-9820e1eba5c5} ;This value is determined by the Class..Provider = %ProviderString%..DriverVer = 03/25/2021,1.0.0.2..CatalogFile = rsKerneluser.cat......[DestinationDirs]..DefaultDestDir = 12..rsKerneluser.DriverFiles = 12 ;%windir%\system32\drivers..rsKerneluser.UserFiles = 10,FltMgr ;%windir%\FltMgr....;;..;; Default install sections..;;....[DefaultInstall]..OptionDesc = %ServiceDescription%..;CopyFiles = rsKerneluser.DriverFiles..;, rsKerneluser.UserFiles....[DefaultInstall.Services]..AddService = %ServiceName%,,rsKerneluser.Service....;;..;; Default uninstall sections..;;....[DefaultUninstall]..;DelFiles = rsKerneluser.DriverF

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\x64\rsKerneluser.sys

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):49456
                                                                                                                                                                                                                                        Entropy (8bit):6.631066056716293
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768://Vqt92EbtYnekejiYF5blvhBVu8suwIppriCAVUValkjvJt3Hy5Z:EmeLT0CpprAqs6tXqZ
                                                                                                                                                                                                                                        MD5:F77B9B6CCCA206535EB9672266A462B1
                                                                                                                                                                                                                                        SHA1:479345A89FB7362CAE53A3040F4EFCEE55B92BF7
                                                                                                                                                                                                                                        SHA-256:BC4EBE3656BE0F502B65A2CA247FFA1B3065EC6FE2E76D3AF21511A0616F855C
                                                                                                                                                                                                                                        SHA-512:9C80E9C83A58C9E2C63F22C17E4FD4DF227F04960AA2212C66A1308512FE02E71CB7300455965109A7E3931ABD38EBD15162FE3CB46C3328F28D1AE175B4EFE3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2.P.Sg..Sg..Sg..Sf..Sg..5f..Sg..5c..Sg..5d..Sg.C:c..Sg.C:...Sg..S...Sg.C:e..Sg.Rich.Sg.................PE..d...".\`.........."......H...&................@....................................A......A................................................4...<....... ....P.......r..0O......D....5..8........................... 6...............0...............................text...D........................... ..h.rdata.......0......."..............@..H.data...$....@.......2..............@....pdata.......P.......4..............@..HPAGE....N....`.......8.............. ..`INIT....6............R.............. ..b.rsrc... ............b..............@..B.reloc..D............p..............@..B........................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\ReasonLabs\EPP\x64\rsYara-x64.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2368912
                                                                                                                                                                                                                                        Entropy (8bit):6.822643146530875
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:4GtlqmIU6i9WVwASOgrXZLIgUivtw6jx5+8678vcWs4jdNsgiPLIl:0+3zjdsZF4jTsgsIl
                                                                                                                                                                                                                                        MD5:2AF03A4B211428D4C88E63D3CD42E427
                                                                                                                                                                                                                                        SHA1:9856611653F76F48A3F132E69F31280B5BEDC248
                                                                                                                                                                                                                                        SHA-256:3F198A95B07E119CF6053481DCED4D5515EAE93B9B8A00A85A50315C0A5286B2
                                                                                                                                                                                                                                        SHA-512:A9F3A0E0C396578C20D1F55FA9C0CFD40F1AC9F557A80140CAF4D84AC17E7FDF0A8048EB73DB8D9D6380A2F2681205E7127BDC8FC6262AAC5877AEA3435C62A4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......}..o9r.<9r.<9r.<r..=3r.<r..=.r.<r..=7r.<?.U<8r.<?.=.r.<?.=+r.<?.=-r.<9r.<.r.<r..=4r.<9r.<$r.<..=.s.<V.=.r.<V.=8r.<V.=8r.<V.W<8r.<9r?<8r.<V.=8r.<Rich9r.<................PE..d......e.........." ...&.....f................................................$.......$...`..........................................i".t...Tk".......$.X.....#.D.....#..=... $.lS..0k!.8............................i!.@............................................text............................... ..`.rdata..............................@..@.data....v...."..0...f".............@....pdata..D.....#.......".............@..@_RDATA........$.......#.............@..@.rsrc...X.....$.......#.............@..@.reloc..lS... $..T....#.............@..B........................................................................................................................................................

                                                                                                                                                                                                                                        C:\ProgramData\EPPBackup\rsuser.config.backup

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (5548), with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):5548
                                                                                                                                                                                                                                        Entropy (8bit):5.993403199466336
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:RkNCZqifpqvt4Gg7Jd7z3kelI7P4k4uFWb51bxby1fmZ0PfsPp1cC1CDH:RzBc4dX7ZI74kx0Nby1fYJWC1c
                                                                                                                                                                                                                                        MD5:BE90740A7CCD5651C445CFB4BD162CF9
                                                                                                                                                                                                                                        SHA1:218BE6423B6B5B1FBCE9F93D02461C7ED2B33987
                                                                                                                                                                                                                                        SHA-256:44FA685D7B4868F94C9C51465158EA029CD1A4CEB5BFA918AA7DEC2C528016E4
                                                                                                                                                                                                                                        SHA-512:A26869C152ED8DF57B72F8261D33B909FB4D87D93DC0061BF010B69BAD7B8C90C2F40A1338806C03D669B011C0CB5BBFCD429B7CD993DF7D3229002BECB658AD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:SeNHHAozzDzx8xafGs52O02M3LrbDRSLIJ5xixluCuxOz2RE7hbtSEc4h5uwlDrbNRkIuc4wJhx4cXXt/BOt9Z+36zGIYFX8XISHgLWcpFg8kTXph1JWHYuMqBe2bcUyhHiUhQR47usgCtpolEvWsHiCW0MIfJDWJcF+hsAttVYiPkXeios84TLwfxrXKCFybWVXAQj6vuOgPJ5BocP3W2aYDb/nYexhWpuFF33Vgl2jhtyk9+VncBPYoF2UoEPRMSUGx9ryim73PgXEO9HK3zaX+46DL+w8FWQl/Tkqdv4nYOlDHZNi4dTioBXjiy1IvSTYPykJgeLBk/Hol89xlcZcWwRLXhBwOkWnVHNUZ1slsAN5dvVdqRXkbw/U2mr4YagFxluFQzi/zOkVWT9VPCuAFZ1td8GjO6e4ef0W1HqiH8uDZhUyg7vI8dyVbL/c2kZ4lCaB1aamE7PyUa7YLIY+5WBdWk0iYn+CPkp6iiG9GPGKZMAxeSS++jaRgtdzfNhh7Wk8B5PQa7YtB9+lp4ZrrY0gjyHLMqXQlGl69NIbDenyF39voBK1uSrCKoAvQJNF/272MpXJwdXUidXrraNek2Pf1yMEHWESjOquy4pViB/caKa3soYQCF14LEcuY5C5+tjJ/KQVdrxfztb5+FBUGqxwFU+lwQaYl62OUepxuGi0JqMaZ5NB0MiDSPOI5Bg7M3YbFC0O4kGkuVkexEr/9CmNoUlwJW+DzoM4CZrnwph9z0UQyKuji2SNMBGmta8cd7lKcgXUwjyFtbxJDWKUXlqdt7mhgGf0peh0xPEVy6eSA87zATFq5NwclpF5PrFj5e1EzEtSOhZIAkObrUqyWYYRmlo5dYDwd7AJQb2/uH4jQUYvc59Z7J22jTZ+NwDf1EZwQsZctAM+MuuVIWMfwADo/cpQw6nmNmXM+QeZTR8utI9ev49/DUvOzO/NgG7ol/jrHy/zB1j+ljVQe1iQkoO6j44sRHng9GKi

                                                                                                                                                                                                                                        C:\ProgramData\McAfee\WebAdvisor\saBSI.exe\log_0004005D0035001D00060032005D0013.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):212
                                                                                                                                                                                                                                        Entropy (8bit):5.085919613407831
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:rtRV8Bk2JM0RG0DKhSdLc1tRVQnwZVjwOrADGq:ZRV8Bk2JTDFdLORVQwrjhroZ
                                                                                                                                                                                                                                        MD5:4F77700835F55F95D7F0CADFFEA774AE
                                                                                                                                                                                                                                        SHA1:DE489153F9A03037EDE7CA995A5726D4452E10DB
                                                                                                                                                                                                                                        SHA-256:F78FC8C499BEA76D5FFC8F8A5266B84994A2F3BFBA4DF0BCAF1BA86B3A62C19C
                                                                                                                                                                                                                                        SHA-512:B3A10CBD8C0BE6D1DB9796BAC2CBCB074C5521E83358726D36B7A8F29D8495E446544356905806BD9E64B69BC91E646548E654F19F45CA704CC9F2D7599E5B6A
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:[ERR][20240423 08:52:44.257][ProcessUtils.cpp@210]: Failed to get executable filename for process with id 3980. Error 31..[ERR][20240423 08:52:58.293][HttpsDownloadFile.cpp@200]: Unable to open HTTP transaction..

                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1310720
                                                                                                                                                                                                                                        Entropy (8bit):0.7491921788134467
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:9J8s6YR3pnhWKInznxTgScwXhCeEcrKYSZNmTHk4UQJ32aqGT46yAwFM5hA7yH0z:9JZj5MiKNnNhoxu6
                                                                                                                                                                                                                                        MD5:E6A81951E8A1E7CD67EA99CC7C4B1D07
                                                                                                                                                                                                                                        SHA1:CA42408DD262691D76E11A757CF30201ACB2002F
                                                                                                                                                                                                                                        SHA-256:BDF3AE72D08424928F67A08D97DC2E65C8F6F4986B17F01C51C8CC557900458D
                                                                                                                                                                                                                                        SHA-512:DF4976787DB0B7C2A6D691B00C3B86BD12F7C8E57CF661D00DC51B117C148C67EC6683D48E852124A5213BFE563A2BCC8DE3E0EDDD412F55546C805A23F367B0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...........@..@9....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................................Fajaj.#.........`h.................h.......6.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                        File Type:Extensible storage user DataBase, version 0x620, checksum 0xf2675e37, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1310720
                                                                                                                                                                                                                                        Entropy (8bit):0.7555579326227357
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:tSB2ESB2SSjlK/svFH03N9Jdt8lYkr3g16xj2UPkLk+kLWyrufTRryrUYc//kbxW:tazaSvGJzYj2UlmOlOL
                                                                                                                                                                                                                                        MD5:29547B356E12B9562D9AA921B9918AE1
                                                                                                                                                                                                                                        SHA1:10633573FA6C72F74D221C1A69A9A5A7CEF8996E
                                                                                                                                                                                                                                        SHA-256:1472B702CDAB71BD120FC48151327EEE3E1A4FFFF7F982C654C20FAE0BC937A9
                                                                                                                                                                                                                                        SHA-512:9D57A3416A78A5F779C1DFB4BE14B200DA68120964A90FB5843621EB290D319F12A7F6CC116F1D597E775FF81C93BBFCC7F7FC667514733E31C656689AFE7B6D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.g^7... .......7.......X\...;...{......................0.e......!...{?..(...|..h.g.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... .......9....{...............................................................................................................................................................................................2...{.......................................(...|..................|...(...|...........................#......h.g.....................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16384
                                                                                                                                                                                                                                        Entropy (8bit):0.07791086164547226
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:tHW8YeQhu2c3NaAPaU1l4XKWt/AlluxmO+l/SNxOf:o8zgKNDPaUPy/AgmOH
                                                                                                                                                                                                                                        MD5:91E4FD71ED77FECAB13B69F18301AB91
                                                                                                                                                                                                                                        SHA1:4C15197CE8B09992733F48687C49BA571551D2D2
                                                                                                                                                                                                                                        SHA-256:FC8AABCBCB99EBEB4C505C7BE381EEAF6AD656847AB212EE1663D588287819C7
                                                                                                                                                                                                                                        SHA-512:12868F97874F8550072C77BAE959C9F369D5492E8B30332BFC3CB68D8E2EC30A651B1F9C45A7B95047BC364E2D088ABEFF45D3965F5148F42B5D696C16B19D65
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.........................................;...{...(...|...!...{?..........!...{?..!...{?..g...!...{?..................|...(...|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BitComet (64-bit)\BitComet.lnk

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Mon Mar 4 15:20:38 2024, mtime=Tue Apr 23 04:39:53 2024, atime=Mon Mar 4 15:20:38 2024, length=27769744, window=hide
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):993
                                                                                                                                                                                                                                        Entropy (8bit):4.576248250557064
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:8m+P/8bd3gl18zjBhUABMdd6HddHWf4l7Eekzem:8mU8bd3gP8zjB1qdd6Hddj7Eeky
                                                                                                                                                                                                                                        MD5:0CFB03EEEBC094EF51C6211342E889B4
                                                                                                                                                                                                                                        SHA1:EC9347ACDF7B7D24BD237B020F143A2B0989EAD2
                                                                                                                                                                                                                                        SHA-256:9B162BE39A9EE4E77F01E1D1A7018B80B888061C1F6A898C79FD14BD8F5D5EC5
                                                                                                                                                                                                                                        SHA-512:DF144948C815B4645565612C7766FFCA8A69C790B2FDDE43B92F1E54249EFD7735C4DBD1649D7AD5F393D9B9A31FAEC8B497AB1456BB15E9EF104A7B320A8236
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:L..................F.... ....O..On.....@....O..On..........................{....P.O. .:i.....+00.../C:\.....................1......X.,..PROGRA~1..t......O.I.X.,....B...............J......<..P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....Z.1......X.-..BitComet..B......X.,.X.-....J......................,..B.i.t.C.o.m.e.t.....f.2.....dX.. .BitComet.exe..J......dX...X.,..............................B.i.t.C.o.m.e.t...e.x.e.......U...............-.......T....................C:\Program Files\BitComet\BitComet.exe..5.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.B.i.t.C.o.m.e.t.\.B.i.t.C.o.m.e.t...e.x.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.B.i.t.C.o.m.e.t.`.......X.......216041...........hT..CrF.f4... .$..Jc...-...-$..hT..CrF.f4... .$..Jc...-...-$.........z...1SPSU(L.y.9K....-............H...>jP....J..dQ....A................B.i.t.C.o.m.e.t...T.o.a.s.t.s.N.o.t.i.f.i.e.r.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BitComet (64-bit)\HomePage.lnk

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Tue Apr 23 04:39:58 2024, mtime=Tue Apr 23 04:39:58 2024, atime=Tue Apr 23 04:39:58 2024, length=50, window=hide
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):871
                                                                                                                                                                                                                                        Entropy (8bit):4.454344405831253
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:8m1CBYXsx1h9xPdpF4yZgl18vCWYjEjAdaRYbdpT6gbdpTHkTuXmV:8m1abd3gl18vDYUAKMdd6UddHBm
                                                                                                                                                                                                                                        MD5:20262C2DF12DE59C25EE788DC191930D
                                                                                                                                                                                                                                        SHA1:60CBB2226D3D2BFAD1E2A0341300979FFFA1FA42
                                                                                                                                                                                                                                        SHA-256:D7614FE8FF18BC713603C00AADCD8A7A555EFC2F085E4D03571C1A9C3CEDABC9
                                                                                                                                                                                                                                        SHA-512:03745087F7EE5BC7A7D2FE076BDF4924A9A01570A64BF88660430596E3FAE430861E8D15D32E2981C6D654844A39008E1D33EC29624EA5B380FC3C41BE4D3127
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:L..................F.... ....K.@....K.@....K.@...2.......................{....P.O. .:i.....+00.../C:\.....................1......X.,..PROGRA~1..t......O.I.X.,....B...............J......<..P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....Z.1......X.-..BitComet..B......X.,.X.-....J......................,..B.i.t.C.o.m.e.t.....f.2.2....X.- .BitComet.url..J......X.-.X.-.....@.....................,..B.i.t.C.o.m.e.t...u.r.l.......U...............-.......T....................C:\Program Files\BitComet\BitComet.url..5.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.B.i.t.C.o.m.e.t.\.B.i.t.C.o.m.e.t...u.r.l...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.B.i.t.C.o.m.e.t.`.......X.......216041...........hT..CrF.f4... .$..Jc...-...-$..hT..CrF.f4... .$..Jc...-...-$.E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BitComet (64-bit)\Uninstall.lnk

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):575
                                                                                                                                                                                                                                        Entropy (8bit):2.7607342294511947
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:4xtCl0TMl//A9LY/dlrtmlXUvzlbfMy0fK1KRSAthbdlrT9dRSAVlubdlrTc:8wl0TkXXdpsULlbMK4ZbdpT9dsbdpTc
                                                                                                                                                                                                                                        MD5:0DCAD8DC4551524A7D445CF4E54FF4CD
                                                                                                                                                                                                                                        SHA1:A367FF4248F2DFF1FBBCD140A65AEDBE9A861F19
                                                                                                                                                                                                                                        SHA-256:9CA8CB7BB3711E5DE4A97955533B35B0D521A1E0CEA186B0E75E60EA4ABEC268
                                                                                                                                                                                                                                        SHA-512:52C8C77CB676B948FF1B4472C125DB66DBBCE68C8FEC41480624E1C9906908EAB8F854E16B2B457A9C5413E686D00285992C64DFD0217A05386E94FB26A39934
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:L..................F........................................................Q....P.O. .:i.....+00.../C:\...................h.1...........Program Files.L............................................P.r.o.g.r.a.m. .F.i.l.e.s.....Z.1...........BitComet..B............................................B.i.t.C.o.m.e.t.....`.2...........uninst.exe..F............................................u.n.i.n.s.t...e.x.e.......3.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.B.i.t.C.o.m.e.t.\.u.n.i.n.s.t...e.x.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.B.i.t.C.o.m.e.t.....

                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_35b8ccbe4f5242fd968af2a9c61688e599512_93892958_e67eb3a9-5599-4e51-a58a-743c6904c0af\Report.wer

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):65536
                                                                                                                                                                                                                                        Entropy (8bit):1.4084855398874956
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:46nJ1Wzr02uOFj4DgirXRK9qUzuiF/Z24IO8kF:46Jcz42uOFj2XRmnzuiF/Y4IO8k
                                                                                                                                                                                                                                        MD5:5F5CCBB9513FB11467877AA97E9BE4AA
                                                                                                                                                                                                                                        SHA1:CB05BA51D46D84F8F092940D1A906CC825B3D236
                                                                                                                                                                                                                                        SHA-256:66E8083AE4064BEC7F54E6A4D47C3AE3C0039153800C9049905F4749BC70BB75
                                                                                                                                                                                                                                        SHA-512:D3B1DDB15712FB5CD2C5EE7A00C23E9AB078C97445034BEE3281D25FD296DFDA56912ED5CE25AF1EB9D950FC40757EC165DD26B2DABDD285420E8512646EB189
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.3.2.4.4.1.5.2.6.9.4.3.0.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.3.2.4.4.1.7.3.3.1.9.3.3.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.6.7.e.b.3.a.9.-.5.5.9.9.-.4.e.5.1.-.a.5.8.a.-.7.4.3.c.6.9.0.4.c.0.a.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.5.2.7.5.1.b.8.-.4.2.f.e.-.4.8.1.8.-.b.0.7.d.-.0.e.d.2.7.1.8.a.e.6.d.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...T.r.o.j.a.n...I.n.s.t.a.l.l.C.o.r.e...4.0.8.6...1.5.0.2.6...2.2.1.3...t.m.p.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.2.d.8.-.0.0.0.1.-.0.0.1.5.-.8.f.a.8.-.3.3.9.b.4.0.9.5.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.

                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER2449.tmp.csv

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):92868
                                                                                                                                                                                                                                        Entropy (8bit):3.080306454749861
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:Vobzi1l7NhykuCbhmxPueKI22sJE20nEFiDiNf0oVgj9DEOD9yiVWHju1+ZoM:V31lphf1bI/z20nEfNf0oVgxDEcEy+1
                                                                                                                                                                                                                                        MD5:BC40BDF2AEF7ECF30EC766E29D32F6EB
                                                                                                                                                                                                                                        SHA1:4572A041840BE1D4EB5A55E5ECD939953A90633B
                                                                                                                                                                                                                                        SHA-256:268102F530F1C22855D9A7DD4C17DF29053DD293871019D898F4909F3DC8C66F
                                                                                                                                                                                                                                        SHA-512:6707DCD8636B7107B51F675E48B2F07BCDFF030710969B7D3D2B269FFEE8CE261C565E29377149C253D079B5C3C1D2D1F53E6C455C0D5282650E0BBB0396E01C
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER25F0.tmp.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):13340
                                                                                                                                                                                                                                        Entropy (8bit):2.6964870421417557
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:TiZYWG/ESaJpIYRYFlsW1mUHCYEZv6tCi4+UBhwUjZ0aPcJeM39D0I/3Ds:2ZDNWmSNmH7GaPcJeM39n/3Ds
                                                                                                                                                                                                                                        MD5:9D57C052B75B46DCCC8D0327E874CC70
                                                                                                                                                                                                                                        SHA1:02D6D734C89E865B224777574AD60EA33712CA21
                                                                                                                                                                                                                                        SHA-256:77DB5573B034D80487ED52AB28EEC0AD05643546CD078240C70D18B1EE5D3C89
                                                                                                                                                                                                                                        SHA-512:FAE12874238312786129457421EA6F73B0CAF159D45491414DC33B7E1ACA983BB1FAE1F11F36800E58F6604FF8B90E62D303FD40E49912DDBF588C02AB8E5FAD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER92B6.tmp.dmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                        File Type:Mini DuMP crash report, 15 streams, Tue Apr 23 05:40:16 2024, 0x1205a4 type
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):130768
                                                                                                                                                                                                                                        Entropy (8bit):2.221124464940018
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:tcfCF46Jub9WcXlr1wMfkpETHeQiKf0gCNyUp:6PJXlreMfkp6He+0g+yUp
                                                                                                                                                                                                                                        MD5:2669D612B2E41397916357DB243AFCEB
                                                                                                                                                                                                                                        SHA1:506FB1708B38D138C047671BBC4A7E3E76659F0C
                                                                                                                                                                                                                                        SHA-256:D0537A699AC801AEC651597D3D7B937F3DFD0E50AAEC04CC1746570291115811
                                                                                                                                                                                                                                        SHA-512:3360DA79D6E157AEDA216D75D8336D49BC4B55E03159E556AD3E9616AAAFE6529B8BB17C45D2196E37EB59CF736935BE09A9CFB05BB8D60C2B45EFBB66105585
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MDMP..a..... ........I'f........................(-..(.......,...P6...........j..........`.......8...........T...........xj..X...........|7..........h9..............................................................................eJ.......:......GenuineIntel............T............I'f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER97D7.tmp.WERInternalMetadata.xml

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):8662
                                                                                                                                                                                                                                        Entropy (8bit):3.6982285869485527
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:R6l7wVeJRQ6a3IMD6Yfza652tgmfxjUprl89bNBsfHPm:R6lXJW6a3IMD6Y26UtgmfxHN6fO
                                                                                                                                                                                                                                        MD5:72645D82671BF32AC722C56459D4B363
                                                                                                                                                                                                                                        SHA1:FC0D9384EF1813E7C0091D6D5A889D116A23D3C7
                                                                                                                                                                                                                                        SHA-256:D98E47927A97C12F93592171A9529C38C1D5EFD57A05326B753A6EB8A03A61EE
                                                                                                                                                                                                                                        SHA-512:D9D8B546BCA03988A89A1289E18CB7774A96EF7FCBBD66563540D03FB08A7A246FB975376E46316A64C4FE3EFDE9865C199F68E2ECACB2E50B9716A077465348
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.8.2.4.<./.P.i.

                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER9846.tmp.xml

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):4983
                                                                                                                                                                                                                                        Entropy (8bit):4.539327896863885
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:cvIwWl8zsCJg77aI9CnVWpW8VYJLYm8M4JAZtXKRGXSFdI+q8NHXGkXw1VE8x8Md:uIjfQI7knk7VtJWXLXAI8XpXYVz6Md
                                                                                                                                                                                                                                        MD5:144995517AF8F38C973F1ACABEAD3278
                                                                                                                                                                                                                                        SHA1:452E1CD238A6511FACEC0C4EC6930A5B6EF9B964
                                                                                                                                                                                                                                        SHA-256:760A445974BD39FC98FFD752E509FB2D977196BA9065F2BBC487ECA8F5BDEAB5
                                                                                                                                                                                                                                        SHA-512:82FB91126E8A6087DDEAC4C69A757E01EFD533DBE20011BC4A20E9BC3637B2F7C2CC3DA82E3BDCC1AEE4EDABE87ACDFDEECB97FE09EA61422B390B8BA9656938
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="292122" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER98B1.tmp.csv

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):87616
                                                                                                                                                                                                                                        Entropy (8bit):3.084477926397284
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:MuugacDoe47SHTuw8mZH7B2aDH+SJU4C/8s4grCMP8z:MuugacDoe47SHTuw8mZH7B2aDH+SJU4n
                                                                                                                                                                                                                                        MD5:AC545F87208B616D0F7E6B56E006E44A
                                                                                                                                                                                                                                        SHA1:DE3C6AA82B25C0B7430F419EB14EE2FAF8FE160E
                                                                                                                                                                                                                                        SHA-256:DEC7BD530E877C8DAFE4D3C870B056DAA98F7E3671CF2B29C945E24F896517C3
                                                                                                                                                                                                                                        SHA-512:255CEDFA04351E53D8C6C6F9ECD1D32AA73A999D4963C3216F669D43EFF960ACDDF6564C95CE4EBBAACABD469C4B0897442F96145AAA43B99420CA6CC8DE7535
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER999C.tmp.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):13340
                                                                                                                                                                                                                                        Entropy (8bit):2.685723364527632
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:TiZYWkkHKeWFNY7YDiWCH5YEZghtFiFMKDHwQKfNZaEIlMTQDyIFs3:2ZDk8qMIsKjaEIlMTQ5Fs3
                                                                                                                                                                                                                                        MD5:01AD754567BADAFA7A52D2A05A5E25A4
                                                                                                                                                                                                                                        SHA1:D90F7A91DE1692970F3F11CA95FFCAD8A22B95AA
                                                                                                                                                                                                                                        SHA-256:DA7F9FAD257B097F237CA6F16C1D728425F6D78AD5F7C441BD9CFD64BCD586BD
                                                                                                                                                                                                                                        SHA-512:E299452204E16D40F77628DDB06077692D3483AB8986CC7AEA97598E5A29262EB4377F0BE4D49798598D0A9FE1117742343CA3FC1D3DBFBE6A93DB93A2053CA2
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

                                                                                                                                                                                                                                        C:\ProgramData\ReasonLabs\EPP\Signatures.dat (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2022592
                                                                                                                                                                                                                                        Entropy (8bit):5.999974579136952
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:+dK+qRAhQZWnHFRGGbk0kLHYCFOEx3BMHAE4d/R0l7lRmRj5/Kz3PYez2OQJBmx0:eKYdRxknOEx352P57PFj1xVYNcXsn
                                                                                                                                                                                                                                        MD5:FB84325FD7362B5634C4DE62B3A2C001
                                                                                                                                                                                                                                        SHA1:EBB54EC78A071CE47A1C86F47903D56D77B34CF7
                                                                                                                                                                                                                                        SHA-256:23BDCCB16E5900857C621B67C779B2A49179ACA564EEAF1E74FD10C4EB1651EF
                                                                                                                                                                                                                                        SHA-512:D59933302521C9B3EEAD330A38577FAF1DF0378AA926690C6001186D495ABE4FC470BF578BC9DEABD82E26D7B1F8ED446957494122BD65047456C657DC9BADE2
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:LtAADqVO7UZPm5M2i6U0Ut+519EhIs7fDC28Wl1pQ3a5caHSrw+Gx5gPpgKjm6512l6HKUBJcXQoHbNGYOCA49Q3BTXE41yS8brQXEozdrMJ/QdDxGcC56TGJwEI91lQyrkOtRfocRkRscRbJGGAiyLm3qgIwtTxwz1Jjb4Pecxp6sC2gikNX1FsfN9m6z1LyQNZnfcuQ/6nD0PPsgLRx3rKTfu8eICM9LWsz2LcMcH5EgncDPPlUBccIAOoNxcwirnig5V7fYkq5PCmIeJV/foKrhkvtj2sNYOZMBtbUvSWsEGn6a6TOU/Piv2Sl43XCYBaSV+MbZD2Fa7N4XNtgSjNH8CbppSZk5+xCm2MtTAwzdHIONHn1L8zBeGZwdAbocx7Qon0DNvHkJmVNpIMiH03GwfpOb7+a7jO6UjzphzFDZTTetf0odM6bxJE5mmTkX8tHVeJZDsSRtH/kxPrlWwaJ/GDcy18HIbQYhCSoTZ7U2D0D6O+3vJNh/gXcd1/hA9EWe8sZr9+92Z7fQPHW0W1X9gXdbysOmQ53nZiTGa2LVaen84GWnaQmiNuAr8KeAYqKQLpTCHHt8HnwIB+EKPHbi5fTgHNK+5QnHZnexdkrlNEG8iJhoHPW5yMNGtxKY2j6SHQVMPeRC7IyRSSfHZjarSYlrbAwmLjM9omyK9uScT2ZUWhDXLAB5t1g/C+YFWFKgCi/fZM9BZZd6gBosg+t/ajXVDxgq4JXCDTGuarqflQgnAhx9f4UizVRedmiupelpZ7OYPPKxRHxRUXxFaijSPvFqUNjwVHEiq1D2CWLAiq1EmGZBvW5DXozhpi/Ibsj9v1rVkmO365wPql2zKxSwA41CV/ezqtyB2v9YoEFEhD5ovN6/RgP/chRBlu617VTprMUa0OiPA6jkDPVwo+H1iSLxJVFAUW7SgkDPwAmu5aL88lIJz74HBh6gEKsS/qYtzEJHt34OdPBAf+FcrmWK4rQ9vzpdNjNDmX

                                                                                                                                                                                                                                        C:\ProgramData\ReasonLabs\EPP\WhiteList.dat (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):377176
                                                                                                                                                                                                                                        Entropy (8bit):5.999945871691186
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:1BDotCsX0mytklk/i2PziH5XiX2huoW9h7dp9Q5FG85I2YYCQLk6j:jWCsDytkxMzUhYhFH/i/eLkA6j
                                                                                                                                                                                                                                        MD5:F2C339446D80393CF12236A064FA5182
                                                                                                                                                                                                                                        SHA1:4274F6487AC9249FD4B49DD5D22EB7CF60A67046
                                                                                                                                                                                                                                        SHA-256:863A22F58523D47B94E1273ECF9E2F280D0715FFC20A46D704993A32F54829BE
                                                                                                                                                                                                                                        SHA-512:E65CF3BBD78AB8DE244E47AEA6BFFE1CCD3B22B32A2260C9BA761D2C1F00A03AED17E6144E271435DC44C1F139AD74743F4F52A6140253B77842DEEDEA4DCF00
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:ECc+ipJzcwkbZhHH6D1ciQjLEdRYh2hxwL6t/gI/aKzFhP0JZ+o5RIJUuC6/SkyIcfEFK5ngKBkQ1fvVMN//LTvf565Sl+AVaap/4k4EptyHPj7I4OILB+ncy7swuiZtl3+1Wp6PX+vCWTGe4GqB4ngQZT9u8DhbT1rCWvkw2WT3Y9DEfpISoufMWf3NoVOzqCIojN21hORpmAQGvoajCOuhLkVo1t05PggD8+Et608IkI7f5XwJOlxQc5UQRikZNMOmJvi1LncghPiSSeM+a5bjR3DuO1jhUPDTVnQODj2RvNHwNZwYBCr64Av8cQT2gKS+Hs5Lui/gpf5xf5fGZuVAm56ioEBqOO9DZGQ/SQahAU1yudisgt5XB0z9efK+b6/EAPVLrUgZ3wHKwOZZtpECfmVrXRxUm5k5pgLlyMRBN2b8I9Wmqf9X+rfv0OhkLYM/yw3xSIo3ge3BOI+h1vmtfYHahQZWoEKC3rTcFRu19M8ii/gCiD7NiTuu1F2z1l/oxXz4XLr2r4QBGSBM19jsFpaaqITyTIEqwRCde7v6PSekbGgg6ZkklM2dC0HKq35eHdDQZni4kMhyqGlFWYudbMpxARQFtI0yEyKCgiF2VALSsHpckoW+JBC77U81je2vYYd1HjbeFBHdjPxYuiL5tVGWfPXvyKbMMPCMhOJCvrQTLusJs8Wxkl4KLJ0whNNdHJrPCTYREEf0K1PhYTJhIoCJcgEcD9FiK4LLBVGwgtFwLNQbFAC1dVI8EaT7c4ajDWdBB6ZwdFyiOsgaVSJIiykb0icL5G8I2mt7KkzCZed+2VY4AS8X5IiERwRolxc946p7jXl5YLwQXCPFJBAqI+z2mC+DK8bMF1/d8mymt0zXXmFuvnusX9R+/VUB27QIHT6iAj66SwD++dVDnut2Dhf9LSuNQTOD6QXDUY+VqquajycJ0iodaqasTCKzYXubGVjq1mOfsPKubp5P5IPqmCQoU/idhouWq58V

                                                                                                                                                                                                                                        C:\Users\Public\Desktop\BitComet.lnk

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Mon Mar 4 15:20:38 2024, mtime=Tue Apr 23 04:39:58 2024, atime=Mon Mar 4 15:20:38 2024, length=27769744, window=hide
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):853
                                                                                                                                                                                                                                        Entropy (8bit):4.512810280751341
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:8m+Af/sBYXsx1h9xPdpF4yZgl18zjsYhjEjAdBbdpT6LbdpTHWQMwmV:8m+Y/8bd3gl18zjBhUAfdd6HddHWfwm
                                                                                                                                                                                                                                        MD5:93D6A9E44B6F512B2739CD62BDE2F436
                                                                                                                                                                                                                                        SHA1:7ED27CD7004492BF4417C76C42D4AD9A433743EC
                                                                                                                                                                                                                                        SHA-256:BCA16780EC6651BD601A275735FD38FFA78ED8ED389216F45B14021D566CBF7F
                                                                                                                                                                                                                                        SHA-512:9A21949EF5C0FD53AD4D82E1369CF03B880F5C363A0358DF6D9B8669E8C447AF2C1235384BA01E325D6E0761A68A1C4B2D6FB5F63CC4F2524B6CD0BEE8D7E619
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:L..................F.... ....O..On.....@....O..On..........................{....P.O. .:i.....+00.../C:\.....................1......X.,..PROGRA~1..t......O.I.X.,....B...............J......<..P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....Z.1......X.-..BitComet..B......X.,.X.-....J......................,..B.i.t.C.o.m.e.t.....f.2.....dX.. .BitComet.exe..J......dX...X.,..............................B.i.t.C.o.m.e.t...e.x.e.......U...............-.......T....................C:\Program Files\BitComet\BitComet.exe..,.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.B.i.t.C.o.m.e.t.\.B.i.t.C.o.m.e.t...e.x.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.B.i.t.C.o.m.e.t.`.......X.......216041...........hT..CrF.f4... .$..Jc...-...-$..hT..CrF.f4... .$..Jc...-...-$.E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                                                                                                                                                                                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C5C8CC0A7FE31816B4641D0465402560

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exe
                                                                                                                                                                                                                                        File Type:Certificate, Version=3
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1398
                                                                                                                                                                                                                                        Entropy (8bit):7.676048742462893
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:ujsZPSIPSUcnA3/46giyfV4Hxk7P3Gus6acCQ4CXmW5mOgs:ujul2nQ4XfVkk7P3g6dB42mVs
                                                                                                                                                                                                                                        MD5:E94FB54871208C00DF70F708AC47085B
                                                                                                                                                                                                                                        SHA1:4EFC31460C619ECAE59C1BCE2C008036D94C84B8
                                                                                                                                                                                                                                        SHA-256:7B9D553E1C92CB6E8803E137F4F287D4363757F5D44B37D52F9FCA22FB97DF86
                                                                                                                                                                                                                                        SHA-512:2E15B76E16264ABB9F5EF417752A1CBB75F29C11F96AC7D73793172BD0864DB65F2D2B7BE0F16BBBE686068F0C368815525F1E39DB5A0D6CA3AB18BE6923B898
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:0..r0..Z.......vS..uFH....JH:N.0...*.H........0S1.0...U....BE1.0...U....GlobalSign nv-sa1)0'..U... GlobalSign Code Signing Root R450...200318000000Z..450318000000Z0S1.0...U....BE1.0...U....GlobalSign nv-sa1)0'..U... GlobalSign Code Signing Root R450.."0...*.H.............0.........-.0.z.=.r.:K..a....g.7..~.....C..E..cW]....%..h.K..K.J...j..a'..D...?".O.....(..].Y.......,.3$.P:A..{.M.X8.........,..C...t...{.3..Yk....Z.{..U......L...u.o.a.tD....t..h.l&>.......0....|U..p\$x %.gg...N4.kp..8...........;.gC....t./.....7=gl.E\.a.A.....w.FGs.....+....X.W..Z..%....r=....;D.&.........E.......Bng~B.qb...`.d....!N+.mh...tsg1z...yn|..~FoM..+."D...7..aW...$..1s..5WG~.:E.-.Q.....7.e...k.w....?.0.o1..@........PvtY..m.2...~...u..J.,....+B..j6..L.............:.c...$d.......B0@0...U...........0...U.......0....0...U.........F...x9...C.VP..;0...*.H.............^+.t.4D_vH(@....n..%.{...=..v...0 ..`.....x.+.2..$.RR......9n....CA}..[.]...&..tr&....=;jR.<../.{.3.E.....

                                                                                                                                                                                                                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C5C8CC0A7FE31816B4641D0465402560

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):264
                                                                                                                                                                                                                                        Entropy (8bit):3.1537500202709894
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:kKQPWFkthurGhipWhliK8al0GQcmqe3KQjMIXIXL/:GYkt4rGIWzyZ3qe3KQjxXIT
                                                                                                                                                                                                                                        MD5:3831AA223891C77588CA3F78E5A99CA8
                                                                                                                                                                                                                                        SHA1:F84F1C9F24975B3FBE6C169F3C071F76FDEBDB70
                                                                                                                                                                                                                                        SHA-256:10A5042D28422665C8647DA7E0B45D601A2A0EF6A88E3613D4638FC58A26F824
                                                                                                                                                                                                                                        SHA-512:2C8F7DFF4FF6FF5FCC10768631FCDC4A0498EF8A05E194FE6A3E93A800754AF89176F4990600153DA1ED467005EA08F81E4AA462D7D533133FECA8F56FD6A61C
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:p...... ....v.......@...(....................................................... ......................N.....v...h.t.t.p.:././.s.e.c.u.r.e...g.l.o.b.a.l.s.i.g.n...c.o.m./.c.a.c.e.r.t./.c.o.d.e.s.i.g.n.i.n.g.r.o.o.t.r.4.5...c.r.t...".6.2.f.a.4.8.4.5.-.5.7.6."...

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\3aa521a9-213e-4d27-ad22-0573d03d1617.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2056
                                                                                                                                                                                                                                        Entropy (8bit):5.475477494916324
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:YDEFMsFiHC0af0U+huPXowoeiW5nBHB+1lzdrxcBLZ3YRMTnNBG/d2a:PNkC1f05gQetxBciFZUMTNI4a
                                                                                                                                                                                                                                        MD5:DF10151BD13A49FE9CC380E75BE8F8A7
                                                                                                                                                                                                                                        SHA1:02D390AF3DEB6CDA3939DC365B32329E0E74990C
                                                                                                                                                                                                                                        SHA-256:C73CB928B20199D312AC1C0700F6FAD62434633B7261FDB270FAA5056D9DBA03
                                                                                                                                                                                                                                        SHA-512:70698DBF7147A2F4910983DA7D13F9CF4329E767B4F6B715DA3ACD4372EEF47FD9DF3BD73B8E423C4AE50407CF644B1A1F0D93156F6BE67D6E2FC72DF2ABE942
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:{"dual_user":{"ie_to_edge":{"redirection_mode":0}},"edge":{"tab_stabs":{"closed_without_unfreeze_never_unfrozen":0,"closed_without_unfreeze_previously_unfrozen":0,"discard_without_unfreeze_never_unfrozen":0,"discard_without_unfreeze_previously_unfrozen":0},"tab_stats":{"frozen_daily":0,"unfrozen_daily":0}},"hardware_acceleration_mode_previous":true,"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAACh951LgvM2Qb9CwsFGCkzdEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAABD0qrA/1M2p05las89SFLH91gcRTRuy3aQSBO5tqZSvgAAAAAOgAAAAAIAACAAAABvmV3+MdX6Tqq0Bne9+d2sllxMMMvq21CapH5IOt/bdDAAAAB6o6CQC/aMQy3isabs6KYzngVUBU9TDWo8ft2NTWf9YP+eJ3+yMcqsQR1zHN+zbQBAAAAAaITLD8g/baji/7MOyJleUSl4xE+6rkfDHA0FqCbDO1yWRn2SHa0V39TZ3hxwvYWQmMKGSyWu9aGUE02N+LtCUQ=="},"policy":{"last_statistics_update":"13358324420959748"},"profile":{"info_cache":{},"profile_counts_reported":"13358324421123820","profiles_order":[]},

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\7151fcae-5196-4c0a-988f-595b75baaa6c.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16689
                                                                                                                                                                                                                                        Entropy (8bit):6.071158388499772
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:nDF5g/rZP0/jpq4eVYCxmxf91UM27NBSj1V0BWQHKh3:DF5kruq4eV5xmx3QXBWEG
                                                                                                                                                                                                                                        MD5:930485506FC7AD27854EAAEA234AE02F
                                                                                                                                                                                                                                        SHA1:FAC5B582B2C933521EFBE40A0A8601D70251FB98
                                                                                                                                                                                                                                        SHA-256:F62934A74173818754001261E302B5A44F3D94CB08A869C4C05DB36743038ACD
                                                                                                                                                                                                                                        SHA-512:08218FD4B286ABC29E5D301BE6D9936CF15FFE48382A6AB8B4B800B9040F94E2AEC35453C2E7AC8FC18C73C7D0E2ACECEFE1AFD602DCBA060CAF6D68CB3D9C0D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:{"domain_actions_config":"H4sIAAAAAAAAAL19a3PktrH2X1HpU5LyQNLe5M355HeziV3Jxi5nU656T6VUIIghIYIAF5eZ4bj83083ONJKOwRmmutzPngtUXxwY6Nv6G78evmdqa1z/N/f/biRzqlaXv7510s+DFoJHpQ1/vLP//2fby4HCw+UxN9+vTS8h9cu39eN/Pd3l99chnHA3wfuguL6ZzloLmQvTYC/bbiO+MfvoEn5i6z+rsLV65e37OWbiz/8/fuPH/7xzYVWnbz4mxSd/ePFu9bZXl7dXrNr9vL1y2/ZzfWLi3/xNXfqAYbdXt3AX25v37y8/O2bx/FM2KcjkvDqR9tJMz+mp+C/2H/a8LgGjy3Uzx4/eR9H8fbt/8rk376Fyb/69tUrdvvqeO7Tn29uXl+z16+Pp/9/Pqa5LwBE9U4r6O97ZYIvf4+jdw8D/PXSS7ES7SryFa/rRHiV4wZ+uvybtY2Wh7Fd/gb0+fldJ3u7Afx/X35Qwllv1yGRzCW8Fb10d7yBzu7sI7kDGWAL8LsHer/8881v31zyzc2dsLUUd2vJQ3TyTrSwHk9QR5vk8EDWd2mvjNDwj0P4MeKa17bnCpq+NDKstdoxYfu0budDfIi1sn5CZjbkI/iw3N9tbt7hJP46zeEdTuHwztGMRd1TZ2f0+H43WC9/0nz8WfJ6fDpur5VpChN9RP8CPW6UkU/BwUYWNkuQPd/Bz5IddisRzSuxeMgbhgi5FK/5LVNhCXK3VkaFcWnHWx5EC6MXtkSXxSZUAwOQ0IazDRDV0mYq2Pgiug225Fu+ZYIvaaaVuMU28BcbnDVLRyMczMkB/YuWGyP10nZM4KFFklz6fex2cNID0/KDjosXd9PuFm6pNuq4tFd4nX2KSnTwUYaljfxF+fY7M25b6WSZAc6ypAM3xEcuPXoisWY7PgAenxwzyyQaaOzye3jzw/p7uRGJJ9NYRwFsQGxKUOKKC3OMP8zx6c

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\8aa93c01-8b44-420c-988d-1003b740973a.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17923
                                                                                                                                                                                                                                        Entropy (8bit):6.067642695898003
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:nDF5g/rZP0/jpq4eVYCxmxf91UM2ONBSj1V0tNMuWQHKh3:DF5kruq4eV5xmx3QCtGuWEG
                                                                                                                                                                                                                                        MD5:76FC2766DC115A7AEFD52E9F63D7A309
                                                                                                                                                                                                                                        SHA1:357368CE93204D054B5ED162852608996582B636
                                                                                                                                                                                                                                        SHA-256:22BCBDE3236ED536B1CE4DACA9CD5AD85FF84804617A7FA99C165575391042C2
                                                                                                                                                                                                                                        SHA-512:13872BFDE7D5FD42BF005D725924059EC9DF1A9C6693B57525C1F645D88A16C1DAEB7F52465AADB8F5178FE383766FF453A56089C03C97BAD134F4F12F5EF27D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:{"domain_actions_config":"H4sIAAAAAAAAAL19a3PktrH2X1HpU5LyQNLe5M355HeziV3Jxi5nU656T6VUIIghIYIAF5eZ4bj83083ONJKOwRmmutzPngtUXxwY6Nv6G78evmdqa1z/N/f/biRzqlaXv7510s+DFoJHpQ1/vLP//2fby4HCw+UxN9+vTS8h9cu39eN/Pd3l99chnHA3wfuguL6ZzloLmQvTYC/bbiO+MfvoEn5i6z+rsLV65e37OWbiz/8/fuPH/7xzYVWnbz4mxSd/ePFu9bZXl7dXrNr9vL1y2/ZzfWLi3/xNXfqAYbdXt3AX25v37y8/O2bx/FM2KcjkvDqR9tJMz+mp+C/2H/a8LgGjy3Uzx4/eR9H8fbt/8rk376Fyb/69tUrdvvqeO7Tn29uXl+z16+Pp/9/Pqa5LwBE9U4r6O97ZYIvf4+jdw8D/PXSS7ES7SryFa/rRHiV4wZ+uvybtY2Wh7Fd/gb0+fldJ3u7Afx/X35Qwllv1yGRzCW8Fb10d7yBzu7sI7kDGWAL8LsHer/8881v31zyzc2dsLUUd2vJQ3TyTrSwHk9QR5vk8EDWd2mvjNDwj0P4MeKa17bnCpq+NDKstdoxYfu0budDfIi1sn5CZjbkI/iw3N9tbt7hJP46zeEdTuHwztGMRd1TZ2f0+H43WC9/0nz8WfJ6fDpur5VpChN9RP8CPW6UkU/BwUYWNkuQPd/Bz5IddisRzSuxeMgbhgi5FK/5LVNhCXK3VkaFcWnHWx5EC6MXtkSXxSZUAwOQ0IazDRDV0mYq2Pgiug225Fu+ZYIvaaaVuMU28BcbnDVLRyMczMkB/YuWGyP10nZM4KFFklz6fex2cNID0/KDjosXd9PuFm6pNuq4tFd4nX2KSnTwUYaljfxF+fY7M25b6WSZAc6ypAM3xEcuPXoisWY7PgAenxwzyyQaaOzye3jzw/p7uRGJJ9NYRwFsQGxKUOKKC3OMP8zx6c

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\BrowserMetrics-spare.pma (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1310720
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:1045BFD216AE1AE480DD0EF626F5FF39
                                                                                                                                                                                                                                        SHA1:377E869BC123602E9B568816B76BE600ED03DBD0
                                                                                                                                                                                                                                        SHA-256:439292E489A0A35E4A3A0FE304EA1A680337243FA53B135AA9310881E1D7E078
                                                                                                                                                                                                                                        SHA-512:F9F8FCC23FC084AF69D7C9ABB0EF72C4684AC8DDF7FA6B2028E2F19FD67435F28534C0CF5B17453DFE352437C777D6F71CFE1D6AD3542AD9D636263400908FD2
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\BrowserMetrics-spare.pma.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1310720
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:1045BFD216AE1AE480DD0EF626F5FF39
                                                                                                                                                                                                                                        SHA1:377E869BC123602E9B568816B76BE600ED03DBD0
                                                                                                                                                                                                                                        SHA-256:439292E489A0A35E4A3A0FE304EA1A680337243FA53B135AA9310881E1D7E078
                                                                                                                                                                                                                                        SHA-512:F9F8FCC23FC084AF69D7C9ABB0EF72C4684AC8DDF7FA6B2028E2F19FD67435F28534C0CF5B17453DFE352437C777D6F71CFE1D6AD3542AD9D636263400908FD2
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\BrowserMetrics\BrowserMetrics-662749C4-1C34.pma

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1310720
                                                                                                                                                                                                                                        Entropy (8bit):0.7508269121544022
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:ChfLbC6E92z7zOs/oHRGg1DRFFjRGw/x6ubqzE+h6vD1/g86CkpRGQqd:I3Cp8zOs/oAg1HF8y6kqQvjgO7d
                                                                                                                                                                                                                                        MD5:7E1EADBCAB714777FD65062712C6B780
                                                                                                                                                                                                                                        SHA1:3C012BBF02D5CEAFA30645BF2B5E80E566A8CDF3
                                                                                                                                                                                                                                        SHA-256:D34A28B17385BAE4B2E93C4CBDCF3401CBC97176751CEF59341848DCF478EB7F
                                                                                                                                                                                                                                        SHA-512:51D382EAEFA5A5D4A8C72D8C76F119CC3AB7A7B6F32B54BEFA52D1FA2A0E2E5EB11769097507D822E7B00DC07CAF38C8F090C0594D501B9FA7A92EC3EA578654
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@............C.].....@................8...6..............`... ...i.y.........BrowserMetrics......i.y..Yd. .......A...................v.0.....UV&K.k<................UV&K.k<................UMA.PersistentHistograms.InitResult.....8...i.y.[".................................................i.y.Pq.30....6.........117.0.2045.47-64".en-GB*...Windows NT..10.0.190452(..x86_64..?........".dnomfy20,1...x86_64J....?.^o..P......................>..*......hW:00000000000000000000000000000000000000000000!00000000000000000000000000000000000000000000!BitComet.exe. 1900/01/01:00:00:00!BitComet.exe".2.072...".*.:...............,..(.......EarlyProcessSingleton.......Default3.(..$.......msEdgeEDropUI.......triggered....8..4... ...msDelayLoadAuthenticationManager....triggered....<..8...#...msSleepingTabsShorterTimeoutDefault.....triggered....8..4... ...msEdgeMouseGestureDefaultEnabled....triggered....8..4.......msEdgeShowHomeButtonByDefault.......triggered....<..8...$...msConsumerIEModeToolbarButtonDef

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Crashpad\settings.dat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):280
                                                                                                                                                                                                                                        Entropy (8bit):1.9016799979883232
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:FiWWltlGqvl/dNEjYb1gmlx/ll:o1G8/dfCmlZl
                                                                                                                                                                                                                                        MD5:7B084C66DC5773D6BD0D625E706AC372
                                                                                                                                                                                                                                        SHA1:F3B0645FCA4183DF06AD63C9B6DD3F9FFB15A3AF
                                                                                                                                                                                                                                        SHA-256:F8AB24F3132E527831F0655A975A541F4C374247A75484123C9E44D905261A2C
                                                                                                                                                                                                                                        SHA-512:1A65252F39E3588C68CCDECF279BEA05F0F939563D68C63498BDD912989D8B85E853C535B231499DB0904E30F24609C095D317065B45BE2B4FC00CE8BDAE3AF8
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:sdPC....................W.+..[O.G......................................................................................................................................................................................................{F3017226-FE2A-4295-8BDF-00C3A9A7E4C.}C:........

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Crashpad\throttle_store.dat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:ASCII text
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20
                                                                                                                                                                                                                                        Entropy (8bit):3.6219280948873624
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:8g6Vvn:8g6Vv
                                                                                                                                                                                                                                        MD5:9E4E94633B73F4A7680240A0FFD6CD2C
                                                                                                                                                                                                                                        SHA1:E68E02453CE22736169A56FDB59043D33668368F
                                                                                                                                                                                                                                        SHA-256:41C91A9C93D76295746A149DCE7EBB3B9EE2CB551D84365FFF108E59A61CC304
                                                                                                                                                                                                                                        SHA-512:193011A756B2368956C71A9A3AE8BC9537D99F52218F124B2E64545EEB5227861D372639052B74D0DD956CB33CA72A9107E069F1EF332B9645044849D14AF337
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:level=none expiry=0.

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\37205e7c-4b18-4a72-a94f-7887bfe4da98.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):6780
                                                                                                                                                                                                                                        Entropy (8bit):5.580045113588475
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:vODizsPlf/ROoBpkF5d13iQ7VaTEv9V5h5pg5vezodIU81USpsA5IOrMn3YPo0MT:GOzYr389l5+SpFIOAn3go0iujk
                                                                                                                                                                                                                                        MD5:FB4FA71309850FA416A24BCC8DEC6161
                                                                                                                                                                                                                                        SHA1:DDA19E6FAEDEBBBDE95C1E96ED718CA337C856EF
                                                                                                                                                                                                                                        SHA-256:876D9609C4470F9771F350F3203E98E5C8340B600DDB0C473EDEC82A455D0C3C
                                                                                                                                                                                                                                        SHA-512:2A587CA32489EC98CEA6A9AF36B43E90757986898152E00AEFFD5F36D266818BB9DC98A35608440269EA728DCA19FA3A15BC6AFACCBADE62C12683E375364027
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:{"extensions":{"settings":{"dgiklkfkllikcanfonkcabmbdfmgleag":{"active_permissions":{"api":[],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13358324421491157","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13358324421491157","location":5,"manifest":{"content_capabilities":{"include_globs":["https://*excel.officeapps.live.com/*","https://*onenote.officeapps.live.com/*","https://*powerpoint.officeapps.live.com/*","https://*word-edit.officeapps.live.com/*","https://*excel.officeapps.live.com.mcas.ms/*","https://*onenote.officeapps.live.com.mcas.ms/*","https://*word-edit.officeapps.live.com.mcas.ms/*","https://*excel.partner.officewebapps.cn/*","https://*onenote.partner.officewebapps.cn/*","https://*powerpoint.partner.officewebapps.cn/*","https://*word-edit.partner.officewebapps.cn/*","https://*excel.gov.online.office365.us/*","

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\56a30f78-d580-4629-aafa-346732d46f0d.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                                                        Size (bytes):6294
                                                                                                                                                                                                                                        Entropy (8bit):4.831152187849111
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:stv/P5s1mGOb9ING8zu85eh6Cb7/x+6MhmuecU61eeGhe+8Z52MR7K:st3BsRGku88bV+Fw6QBuDPhK
                                                                                                                                                                                                                                        MD5:618CC556AB057AF1004875F0C368B07B
                                                                                                                                                                                                                                        SHA1:FF482D0554CF0AC27BC00C5334D476378EFA4FCA
                                                                                                                                                                                                                                        SHA-256:BED36FE9C194EBD77C0EA49F703CB60036FC3FDB031CAE6FF420AC4AE9982A14
                                                                                                                                                                                                                                        SHA-512:38C6AE9960F1F1A723751072BEF956EEAB15C86D0A3FDAC33EBB66C5644D94B18C29BAFDBF1F927B1AEA88EA195D7667E5BDF35F2FE0072AC8AF0E6BC22FE301
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13358324422264540","alternate_error_pages":{"backup":true,"enabled":false},"autocomplete":{"retention_policy_last_version":117},"autofill":{"autostuff_enabled":false,"credit_card_enabled":false,"custom_data_enabled":false,"custom_data_fill_enabled":false,"custom_data_identify_info_from_form_enabled":false,"custom_data_save_enabled":false},"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"browser_content_container_height":184,"browser_content_container_width":162,"browser_content_container_x":0,"browser_content_container_y":0,"countryid_at_install":17224,"credentials_enable_service":false,"dips_timer_last_update":"13358324422059613","domain_diversity":{"last_reporting_timestamp":"13358324422263770"},"dual_user":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\AssistanceHome\AssistanceHomeSQLite

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12288
                                                                                                                                                                                                                                        Entropy (8bit):0.3202460253800455
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:l9bNFlEuWk8TRH9MRumWEyE4gLueXdNOmWxFxCxmWxYgCxmW5y/mWz4ynLAtD/W4:TLiuWkMORuHEyESeXdwDQ3SOAtD/ie
                                                                                                                                                                                                                                        MD5:40B18EC43DB334E7B3F6295C7626F28D
                                                                                                                                                                                                                                        SHA1:0E46584B0E0A9703C6B2EC1D246F41E63AF2296F
                                                                                                                                                                                                                                        SHA-256:85E961767239E90A361FB6AA0A3FD9DAA57CAAF9E30599BB70124F1954B751C8
                                                                                                                                                                                                                                        SHA-512:8BDACDC4A9559E4273AD01407D5D411035EECD927385A51172F401558444AD29B5AD2DC5562D1101244665EBE86BBDDE072E75ECA050B051482005EB6A52CDBD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Cache\Cache_Data\data_0

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):45056
                                                                                                                                                                                                                                        Entropy (8bit):0.07557265886754276
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:/FSLqHNUQmE1CHKGlqeytaFceVKfP8qsYJ4vs6TxoyealO:dRUw14Blq7eVKAea
                                                                                                                                                                                                                                        MD5:CE38B52980B0117284AB6B2C7A0C442F
                                                                                                                                                                                                                                        SHA1:8EE03F5A7B43BFB05459C6F1444D563E5209A324
                                                                                                                                                                                                                                        SHA-256:E3C8D43997B4DF7D247B1BD45DCBA8F0E8EE228A5418CB2334197E3416D2BEF0
                                                                                                                                                                                                                                        SHA-512:860796FC834C6348468FA7CB94493F8DABD139C259DC681AB5699C462E64C7E9BDA1781B3DB46FA94E0FA95D0B2F64E1A65DC0718980F473F09EEC828A05184E
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Cache\Cache_Data\data_1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):270336
                                                                                                                                                                                                                                        Entropy (8bit):0.05946439090899773
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:U/3X+hQR97G5UJWfHyppGmQl2Ev76UAhgfJV71teH75P57hFWOL7mL0RbME/W7AA:gJ9IUJWfR2EGZGVIvgOQfwDwH
                                                                                                                                                                                                                                        MD5:B719AA53E435DFC2876D00DF5D4207A6
                                                                                                                                                                                                                                        SHA1:46A2590ACB6940D3E90A0F96B92C9AE7F5BD6EAB
                                                                                                                                                                                                                                        SHA-256:48DDEB4D42E9B06DF30A6B65C76905001A6CB7653CD3AA4B8E5D69FBABCCC52E
                                                                                                                                                                                                                                        SHA-512:554397E0DF6490FD252207FE31E7B8A00F0801169327CE07A87F0DFE17CFFF83A16AF29FCEECC225C673F64645F8EED1456754C4E4134F0B75DBEDC49A7980DA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Cache\Cache_Data\data_2

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1056768
                                                                                                                                                                                                                                        Entropy (8bit):0.3628339342982245
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:FPaJt3qIQK9JtAQwJtQKzyZ0otLwAJtAOFu7JtQSVJtAuQJtA:AJt6yJtwJtBy9Jt7FkJtzJtyJt
                                                                                                                                                                                                                                        MD5:8904E66E89758ECE7BFEE2535052C29C
                                                                                                                                                                                                                                        SHA1:E17612F5FB5C672CC6435B33A85A01A99B42D60A
                                                                                                                                                                                                                                        SHA-256:0537FB74CEFFB1814B4DE2F81381C064A89F6CA2B7068E95298A30AB74E9A665
                                                                                                                                                                                                                                        SHA-512:70E040F4E3668E0600230E3AD4526C26318CA8477AB021EC33327F830732751FA9427955A2DC96A1441298FD73ABA26D4E662A1AD14DE1ECD53A2779BE4831EC
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................?.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Cache\Cache_Data\data_3

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:dBase III DBT, next free block index 3238316739, block length 1024
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):4202496
                                                                                                                                                                                                                                        Entropy (8bit):0.049201372489442875
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:pK4rPWuiuTMJZbtMF0r4rPWuiuTMJZbtM/uJP+AREUc19dn:pfPWuixJtK08PWuixJtwuJPnEUc19N
                                                                                                                                                                                                                                        MD5:DCEC6551E33D2A672CA98263EA54C7FA
                                                                                                                                                                                                                                        SHA1:16B9E4E1E4DB7BBA3E856B458AB4D1079CB2E7F9
                                                                                                                                                                                                                                        SHA-256:8B636AEBB62FA62908B899502D65BBF495DE2C2C7F65A16206EE98B44D150487
                                                                                                                                                                                                                                        SHA-512:3FB6722C6C014291C138D2E4C3D6851E26B42715AA3FBF1F4CADE6E6F27373488E3B2D1D3A1D1215DFC28D746146B22D525F485F18F68C9B2B0F889492768854
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................?.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Cache\Cache_Data\f_000001

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (4179)
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):202289
                                                                                                                                                                                                                                        Entropy (8bit):5.536074363396655
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:LKAZVNSNcMzsz58T8f9CBPIrTW77PeMfK6St2nBsLqQqJqt:uAFMgzcZxfK6St+aqQqJk
                                                                                                                                                                                                                                        MD5:6F2CFDCE006F53235D216231933FEDEB
                                                                                                                                                                                                                                        SHA1:8ED38836AA4663953FB2EB2A5A0ED686320D4C97
                                                                                                                                                                                                                                        SHA-256:43D0258526F13FE5087ED655560BD7E4193A1B3D1180379BBB06C37C81288E94
                                                                                                                                                                                                                                        SHA-512:39AA4CFC6026B2A5E6A1B8824DD999832F0930A64D5913E9E71DD4AD1738341EDFE29C3242A13D2325BFA2F05D4F61C8D44116766D7B27F48A7702690726FA49
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.// Copyright 2012 Google Inc. All rights reserved.. .(function(){..var data = {."resource": {. "version":"1",. . "macros":[{"function":"__e"}],. "tags":[{"function":"__ogt_1p_data_v2","priority":2,"vtp_isAutoEnabled":true,"vtp_autoCollectExclusionSelectors":["list",["map","exclusionSelector",""]],"vtp_isEnabled":true,"vtp_autoEmailEnabled":true,"vtp_autoPhoneEnabled":false,"vtp_autoAddressEnabled":false,"vtp_isAutoCollectPiiEnabledFlag":false,"tag_id":6},{"function":"__ccd_ga_first","priority":1,"vtp_instanceDestinationId":"UA-1442335-1","tag_id":9},{"function":"__rep","vtp_containerId":"UA-1442335-1","vtp_remoteConfig":["map"],"tag_id":1},{"function":"__zone","vtp_childContainers":["list",["map","publicId","G-65GE1S8Y8M"]],"vtp_inheritParentConfig":true,"vtp_enableConfiguration":false,"tag_id":3},{"function":"__ccd_ga_last","priority":0,"vtp_instanceDestinationId":"UA-1442335-1","tag_id":8}],. "predicates":[{"function":"_eq","arg0":["macro",0],"arg1":"gtm.js"},{"function":"_eq",

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Cache\Cache_Data\f_000002

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:PNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):43880
                                                                                                                                                                                                                                        Entropy (8bit):7.921215632608533
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:wr4UHnOOoPiThpalCrpgu9zixUZfjelx5khxM1GS4nxP66wapgneKm0:nUHOhitpalCdj9NxyxOxM1GS4xrBeA0
                                                                                                                                                                                                                                        MD5:10376E68A8316EF9A8FDFAE6F7079A1A
                                                                                                                                                                                                                                        SHA1:77FB7A54A5421B8C207ABDEFDCDD4DB38769D2EE
                                                                                                                                                                                                                                        SHA-256:AB0442888A2CC469C0AE6BB2A567C19D8C064FE74B5A19CADB209DEA062CB857
                                                                                                                                                                                                                                        SHA-512:503BC6C644B108776B687AB2E31B74ED6B63226EF9B27C7F6544D4524B20E6F484638ABD6FDABE160BA00DA780DB35A588B8F15C119E861D1DA33B523C437793
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.PNG........IHDR..............x......gAMA....|.Q.... cHRM..z%..............u0...`..:....o._.F....bKGD.......C......pHYs.................tIME......2K.2.....IDATx...i..8.....]r....GddVn....Lw.......q?......3....[U.]...[..{...%........%..'S..E. ..f.3..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0..0.[Mp....p....q..0..0s$.p....'W].J............L..B..a.f............W] .U....>...W]...0.....u+.2..}......0..........a..)"+9.-...$|f...0..6.$.,uld...0..,.....a.H..].d.0..0....|/.{8>/.E;......g..a....}t.c....).......a..)2.yQ.c.....(...v._B,....0....9..m.[.%`.N.I..y.$I.a..a..>.....8.....3..................h.0.Q*....z.P...a.f...

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Cache\Cache_Data\f_000003

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (33048)
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):164401
                                                                                                                                                                                                                                        Entropy (8bit):5.164050548400874
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:dSp1Fp/FVgpe1hcfPK1GOGKiVNya46SeaJNJ8rQl:dSwYuTOBiVN1SeaJNB
                                                                                                                                                                                                                                        MD5:2B54E082BDD07E232FBAC36072B50FA4
                                                                                                                                                                                                                                        SHA1:2F57DBCA655826449648651A6AEE8FA4E422A03C
                                                                                                                                                                                                                                        SHA-256:8248168E050B5D1FEE4EAA6D57149DDCADC312A95AD4246125F5EBB545A0F779
                                                                                                                                                                                                                                        SHA-512:7BC8FF18D2B4A6B4467C49D98BE1E661ED766C679B68488EC209F736B3953DCBF3979E1417753450F329685ABC3AC94249E71DFD0E9DF92A469A28FA02C4D766
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:@charset "UTF-8";.materialize-red{background-color:#e51c23!important}.materialize-red-text{color:#e51c23!important}.materialize-red.lighten-5{background-color:#fdeaeb!important}.materialize-red-text.text-lighten-5{color:#fdeaeb!important}.materialize-red.lighten-4,.materialize-red.p_main_container{background-color:#f8c1c3!important}.materialize-red-text.text-lighten-4{color:#f8c1c3!important}.materialize-red.lighten-3,.p_article .materialize-red.p_alternative{background-color:#f3989b!important}.materialize-red-text.text-lighten-3{color:#f3989b!important}.materialize-red.lighten-2{background-color:#ee6e73!important}.materialize-red-text.text-lighten-2{color:#ee6e73!important}.materialize-red.lighten-1{background-color:#ea454b!important}.materialize-red-text.text-lighten-1{color:#ea454b!important}.materialize-red.darken-1{background-color:#d0181e!important}.materialize-red-text.text-darken-1,.p_footer a.materialize-red-text:hover,.p_footer a.materialize-red-text:link,.p_footer a.material

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Cache\Cache_Data\f_000004

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (5955)
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):300995
                                                                                                                                                                                                                                        Entropy (8bit):5.564846324802843
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:/4MAFMgzFe7/YXfhmpt+aqeyZXDelJsXJ:wMnQe7/wdpJ
                                                                                                                                                                                                                                        MD5:1B91BF2B22EB8568AD83A45B6CF90C93
                                                                                                                                                                                                                                        SHA1:696D543F722EACE83A1CCFCE29BE538BB504EF6D
                                                                                                                                                                                                                                        SHA-256:B13E4C01508376F72CAFABCC6F4771334503905C39A6089D5A6C1612A3997EDA
                                                                                                                                                                                                                                        SHA-512:FCC86EC820DDAEEA0C35733D15F2EB78726458F50589BB58816773EBDE0001651ED3514BAFE0E9DB0EBB8FBEAAF14130CD1BD213A94710195119C46613522015
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.// Copyright 2012 Google Inc. All rights reserved.. .(function(){..var data = {."resource": {. "version":"1",. . "macros":[{"function":"__e"},{"vtp_signal":0,"function":"__c","vtp_value":0},{"function":"__c","vtp_value":""},{"function":"__c","vtp_value":0},{"vtp_signal":0,"function":"__c","vtp_value":0},{"function":"__c","vtp_value":""},{"function":"__c","vtp_value":0}],. "tags":[{"function":"__ogt_1p_data_v2","priority":14,"vtp_isAutoEnabled":true,"vtp_autoCollectExclusionSelectors":["list",["map","exclusionSelector",""]],"vtp_isEnabled":true,"vtp_cityType":"CSS_SELECTOR","vtp_manualEmailEnabled":false,"vtp_firstNameType":"CSS_SELECTOR","vtp_countryType":"CSS_SELECTOR","vtp_cityValue":"","vtp_emailType":"CSS_SELECTOR","vtp_regionType":"CSS_SELECTOR","vtp_autoEmailEnabled":true,"vtp_postalCodeValue":"","vtp_lastNameValue":"","vtp_phoneType":"CSS_SELECTOR","vtp_phoneValue":"","vtp_streetType":"CSS_SELECTOR","vtp_autoPhoneEnabled":false,"vtp_postalCodeType":"CSS_SELECTOR","vtp_email

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Cache\Cache_Data\f_000005

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:PNG image data, 454 x 454, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):56904
                                                                                                                                                                                                                                        Entropy (8bit):7.984452226174247
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:tNTJTLegShtw7mk87tYZaV70DzFTr+O4TeMH:DJuzhy7mk8ZYo2z9CDH
                                                                                                                                                                                                                                        MD5:9CC1FE1B3A24AB7F3D670CB666A06941
                                                                                                                                                                                                                                        SHA1:498F35F90C0245885B369F7F6772BB34703420EB
                                                                                                                                                                                                                                        SHA-256:D810B7149DB98D232565C88A9C490581D03B54D6D7A9951BBA3EE070A8AAECE5
                                                                                                                                                                                                                                        SHA-512:5BD86C35AB13F43A3498D074671DE1CFB9C2F33E7FFAD678D005A67FB79AF71713E9EA9E734DFABD93D2C7D117956863A55CB30EE0981E51CB932FC36FF4D73B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.PNG........IHDR..............b+)....tEXtSoftware.Adobe ImageReadyq.e<..."iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:633EA2EA241811E7A4C59DF0C3164ABD" xmpMM:DocumentID="xmp.did:633EA2EB241811E7A4C59DF0C3164ABD"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:633EA2E8241811E7A4C59DF0C3164ABD" stRef:documentID="xmp.did:633EA2E9241811E7A4C59DF0C3164ABD"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>.[....IDATx...|$.u'..g.9/."-..Fn`NbZ.b.IQ9.l9}r..Qg..l..e...|...}..E.DQ")..)......r..6!......AwO.....jY.0.Cu....E

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Cache\Cache_Data\index

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):524656
                                                                                                                                                                                                                                        Entropy (8bit):5.027445846313988E-4
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:LsulDY2:Ls
                                                                                                                                                                                                                                        MD5:896F99EC1ED651C7AC37CEC05BB6ED04
                                                                                                                                                                                                                                        SHA1:8FA359C05B207C3A97F0707BB419E485A594E748
                                                                                                                                                                                                                                        SHA-256:279C4F1C169E470FBB2E8F818144023D41D030B56D2AF8A1A0C9966664CEE027
                                                                                                                                                                                                                                        SHA-512:EA53D1F45A633994CB034FE0E3969FC70BB5047203FE811B485241AB72DA623C633E4803D67479483CF235CAB893DD7B47DF3FDDC12E3417833BFF8EA50B2722
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.........................................9.FSu/.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Code Cache\js\bd718b84acfe58dd_0

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):221
                                                                                                                                                                                                                                        Entropy (8bit):5.458071604690171
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:miXYGLSmXZCen0RdWN53H6tOlK1rDkE4pp1/:DL0Ru6D1PLQ
                                                                                                                                                                                                                                        MD5:750195AE178721F45BDE724AAA152AC4
                                                                                                                                                                                                                                        SHA1:E2AB335C00A2C4D3829E84A54C4B9F6B904B69B2
                                                                                                                                                                                                                                        SHA-256:F25864680ED7992EB7EDF7ED4DB92DB0B2783F4CA67313E6989E652606E25B3B
                                                                                                                                                                                                                                        SHA-512:CCBB4B90A90A9B3009B21447D355676FC8B5B7AED232EF0677E8B1847F829C83B25680AE6333F8448EAAE59EFF4E2AC17964D9484B8376058FE7838EACECB768
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:0\r..m......Q...._.c...._keyhttps://www.googletagmanager.com/gtag/js?id=G-BE27VNW489 .https://apphit.com/.A..Eo.....................GSu/.........Z...........o.G.......z...e..p.7UR...,*.}.....u.zm.A..Eo..........$.......

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Code Cache\js\eb80c3150bc6e9de_0

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):262
                                                                                                                                                                                                                                        Entropy (8bit):5.656569883507078
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:mutbYygIYlbCwt2H6tU6XZ59P2lAE+gY4Zp:5tVP6e6p5t0vp
                                                                                                                                                                                                                                        MD5:58CA652BCA8D74E8149D1188D437012D
                                                                                                                                                                                                                                        SHA1:D1A82579A41AEE8B939CB84D6DC96E7668D6C84A
                                                                                                                                                                                                                                        SHA-256:8EBF7972F78025C075301643B72EF738222517C249BC0CEAF00187303BE1EFEB
                                                                                                                                                                                                                                        SHA-512:B1B00796708EF089B2BFB9266762CD245EE111332DF8F65D0C5E9E31D27E1858F365431A31AF142DF4E25397ACB2EED123EB5F6F6BFB5EA4AB742498DF53817A
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:0\r..m......R...{.D....._keyhttps://appassets.bitcomet.com/assets/index-710fe85a.js .https://bitcomet.com/.A..Eo.....................GSu/.@............a....i.H.j...T'.....KW.{..c9.....Z...........B.........5%z.o....3%...)6et...o...PT....A..Eo......R..(L.......

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Code Cache\js\index

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):24
                                                                                                                                                                                                                                        Entropy (8bit):2.1431558784658327
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:m+l:m
                                                                                                                                                                                                                                        MD5:54CB446F628B2EA4A5BCE5769910512E
                                                                                                                                                                                                                                        SHA1:C27CA848427FE87F5CF4D0E0E3CD57151B0D820D
                                                                                                                                                                                                                                        SHA-256:FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D
                                                                                                                                                                                                                                        SHA-512:8F6ED2E91AED9BD415789B1DBE591E7EAB29F3F1B48FDFA5E864D7BF4AE554ACC5D82B4097A770DABC228523253623E4296C5023CF48252E1B94382C43123CB0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:0\r..m..................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Code Cache\js\index-dir\temp-index

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):96
                                                                                                                                                                                                                                        Entropy (8bit):3.9818721485946122
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:h7q9q/bll/luJ2iOl/BwLvFn:fkWBwLvFn
                                                                                                                                                                                                                                        MD5:61AF560F8E5DBFF8185B5F7BA47E945F
                                                                                                                                                                                                                                        SHA1:BED085DDB7F7EE521B4D7863DEB9314D131B6BB5
                                                                                                                                                                                                                                        SHA-256:77AA0D47A3FB4C55F918C7EDA857584CD7E2E1D46333FCE9BE98D50D4047A585
                                                                                                                                                                                                                                        SHA-512:AFB4EDC37CA34A19CBE2D7FB4916AAF636527861ADE9FB446D97F205E01AF5EA4CF30000423BB643647C2F37928251542503A81D9281B30E0D4C96CFF1BB38E9
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:X....,.oy retne.........................X....q..,8GSu/.................(GSu/.........n.?GSu/.

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Code Cache\js\index-dir\the-real-index (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):96
                                                                                                                                                                                                                                        Entropy (8bit):3.9818721485946122
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:h7q9q/bll/luJ2iOl/BwLvFn:fkWBwLvFn
                                                                                                                                                                                                                                        MD5:61AF560F8E5DBFF8185B5F7BA47E945F
                                                                                                                                                                                                                                        SHA1:BED085DDB7F7EE521B4D7863DEB9314D131B6BB5
                                                                                                                                                                                                                                        SHA-256:77AA0D47A3FB4C55F918C7EDA857584CD7E2E1D46333FCE9BE98D50D4047A585
                                                                                                                                                                                                                                        SHA-512:AFB4EDC37CA34A19CBE2D7FB4916AAF636527861ADE9FB446D97F205E01AF5EA4CF30000423BB643647C2F37928251542503A81D9281B30E0D4C96CFF1BB38E9
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:X....,.oy retne.........................X....q..,8GSu/.................(GSu/.........n.?GSu/.

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Code Cache\js\index-dir\the-real-index~RF474f01.TMP (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):96
                                                                                                                                                                                                                                        Entropy (8bit):3.9818721485946122
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:h7q9q/bll/luJ2iOl/BwLvFn:fkWBwLvFn
                                                                                                                                                                                                                                        MD5:61AF560F8E5DBFF8185B5F7BA47E945F
                                                                                                                                                                                                                                        SHA1:BED085DDB7F7EE521B4D7863DEB9314D131B6BB5
                                                                                                                                                                                                                                        SHA-256:77AA0D47A3FB4C55F918C7EDA857584CD7E2E1D46333FCE9BE98D50D4047A585
                                                                                                                                                                                                                                        SHA-512:AFB4EDC37CA34A19CBE2D7FB4916AAF636527861ADE9FB446D97F205E01AF5EA4CF30000423BB643647C2F37928251542503A81D9281B30E0D4C96CFF1BB38E9
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:X....,.oy retne.........................X....q..,8GSu/.................(GSu/.........n.?GSu/.

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Code Cache\wasm\index

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):24
                                                                                                                                                                                                                                        Entropy (8bit):2.1431558784658327
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:m+l:m
                                                                                                                                                                                                                                        MD5:54CB446F628B2EA4A5BCE5769910512E
                                                                                                                                                                                                                                        SHA1:C27CA848427FE87F5CF4D0E0E3CD57151B0D820D
                                                                                                                                                                                                                                        SHA-256:FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D
                                                                                                                                                                                                                                        SHA-512:8F6ED2E91AED9BD415789B1DBE591E7EAB29F3F1B48FDFA5E864D7BF4AE554ACC5D82B4097A770DABC228523253623E4296C5023CF48252E1B94382C43123CB0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:0\r..m..................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Code Cache\wasm\index-dir\temp-index

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):48
                                                                                                                                                                                                                                        Entropy (8bit):2.9972243200613975
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:8ddEmzs3+:8UEsO
                                                                                                                                                                                                                                        MD5:89A2E591BD10C1C242F35A7AC0ABA3FB
                                                                                                                                                                                                                                        SHA1:519E3BEBACA336316CBD4028F88521FA40B07B09
                                                                                                                                                                                                                                        SHA-256:780AB3147102759B1A9834677B143D3FD2500638808360B8943E23878FAC3EB9
                                                                                                                                                                                                                                        SHA-512:ED124E9FA526017B1172CAD077E63A20348F6EF0AA97D325728CE8B0588494DE44DF9343BE6475C6840DC6C2BCBD731A699C99C04A954DAF1B51A08952D12AC6
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:(...a...oy retne...........................ESu/.

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Code Cache\wasm\index-dir\the-real-index (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):48
                                                                                                                                                                                                                                        Entropy (8bit):2.9972243200613975
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:8ddEmzs3+:8UEsO
                                                                                                                                                                                                                                        MD5:89A2E591BD10C1C242F35A7AC0ABA3FB
                                                                                                                                                                                                                                        SHA1:519E3BEBACA336316CBD4028F88521FA40B07B09
                                                                                                                                                                                                                                        SHA-256:780AB3147102759B1A9834677B143D3FD2500638808360B8943E23878FAC3EB9
                                                                                                                                                                                                                                        SHA-512:ED124E9FA526017B1172CAD077E63A20348F6EF0AA97D325728CE8B0588494DE44DF9343BE6475C6840DC6C2BCBD731A699C99C04A954DAF1B51A08952D12AC6
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:(...a...oy retne...........................ESu/.

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\DIPS

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):28672
                                                                                                                                                                                                                                        Entropy (8bit):0.4868209081593117
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:TLi5YFQq3qh7z3WMYziciNW9WkZ96UwOfB7FG0:TouQq3qh7z3bY2LNW9WMcUvBw0
                                                                                                                                                                                                                                        MD5:F3898E1CCCC485329F888E6AF85E062F
                                                                                                                                                                                                                                        SHA1:D4EDC661D853A17762D8DFBCED35CE6FAA9BBB0A
                                                                                                                                                                                                                                        SHA-256:3E1FC0B655D4B82EEA9BFBD4D8223FFC007905C15B3DD19F8F87F1D2D99A1174
                                                                                                                                                                                                                                        SHA-512:3CE0AC128FE1A54337C582F5EB64001734F472F70D8B08BB5E68F2ADB000D04C417783A95FFA36E3296F29B62394FBFE9906B2BBE1FBD04F9905D7A824AEB738
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:SQLite format 3......@ ..........................................................................j..........g.....8...n................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\DawnCache\data_0

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):8192
                                                                                                                                                                                                                                        Entropy (8bit):0.01057775872642915
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:MsFl:/F
                                                                                                                                                                                                                                        MD5:CF89D16BB9107C631DAABF0C0EE58EFB
                                                                                                                                                                                                                                        SHA1:3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
                                                                                                                                                                                                                                        SHA-256:D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
                                                                                                                                                                                                                                        SHA-512:8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\DawnCache\data_1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):270336
                                                                                                                                                                                                                                        Entropy (8bit):8.280239615765425E-4
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:MsEllllkEthXllkl2:/M/xT02
                                                                                                                                                                                                                                        MD5:D0D388F3865D0523E451D6BA0BE34CC4
                                                                                                                                                                                                                                        SHA1:8571C6A52AACC2747C048E3419E5657B74612995
                                                                                                                                                                                                                                        SHA-256:902F30C1FB0597D0734BC34B979EC5D131F8F39A4B71B338083821216EC8D61B
                                                                                                                                                                                                                                        SHA-512:376011D00DE659EB6082A74E862CFAC97A9BB508E0B740761505142E2D24EC1C30AA61EFBC1C0DD08FF0F34734444DE7F77DD90A6CA42B48A4C7FAD5F0BDDD17
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\DawnCache\data_2

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):8192
                                                                                                                                                                                                                                        Entropy (8bit):0.011852361981932763
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:MsHlDll:/H
                                                                                                                                                                                                                                        MD5:0962291D6D367570BEE5454721C17E11
                                                                                                                                                                                                                                        SHA1:59D10A893EF321A706A9255176761366115BEDCB
                                                                                                                                                                                                                                        SHA-256:EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
                                                                                                                                                                                                                                        SHA-512:F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\DawnCache\data_3

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):8192
                                                                                                                                                                                                                                        Entropy (8bit):0.012340643231932763
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:MsGl3ll:/y
                                                                                                                                                                                                                                        MD5:41876349CB12D6DB992F1309F22DF3F0
                                                                                                                                                                                                                                        SHA1:5CF26B3420FC0302CD0A71E8D029739B8765BE27
                                                                                                                                                                                                                                        SHA-256:E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
                                                                                                                                                                                                                                        SHA-512:E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\DawnCache\index

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):262512
                                                                                                                                                                                                                                        Entropy (8bit):9.553120663130604E-4
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:LsNlqabl/:Ls3qabl
                                                                                                                                                                                                                                        MD5:E9CC10E77E1CD395C62E332F2FEE527E
                                                                                                                                                                                                                                        SHA1:5C53D04DAF8A4A85EF4726108B6FE1A968A3F4F4
                                                                                                                                                                                                                                        SHA-256:C7FE6343A1A023A15702B987053D299BAF3911CCD88751254C6FD86344A9A56A
                                                                                                                                                                                                                                        SHA-512:F2152411C9E57B16B7E0D3DA6AEE0D9B0E8E0407095B090F50284E9ACF6901766E401344E75C8CF748CD17A92BADFE95CAEF724220F041DA032936BF99327C4B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.........................................n.ESu/.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\EdgeEDrop\EdgeEDropSQLite.db

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 14, database pages 8, cookie 0xe, schema 4, UTF-8, version-valid-for 14
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):0.494709561094235
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:TLEC30OIcqIn2o0FUFlA2cs0US5S693Xlej2:ThLaJUnAg0UB6I
                                                                                                                                                                                                                                        MD5:CF7760533536E2AF66EA68BC3561B74D
                                                                                                                                                                                                                                        SHA1:E991DE2EA8F42AE7E0A96A3B3B8AF87A689C8CCD
                                                                                                                                                                                                                                        SHA-256:E1F183FAE5652BA52F5363A7E28BF62B53E7781314C9AB76B5708AF9918BE066
                                                                                                                                                                                                                                        SHA-512:38B15FE7503F6DFF9D39BC74AA0150A7FF038029F973BE9A37456CDE6807BCBDEAB06E624331C8DFDABE95A5973B0EE26A391DB2587E614A37ADD50046470162
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:SQLite format 3......@ ..........................................................................j...i............t...c................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Extension Rules\000001.dbtmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:ASCII text
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16
                                                                                                                                                                                                                                        Entropy (8bit):3.2743974703476995
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:1sjgWIV//Uv:1qIFUv
                                                                                                                                                                                                                                        MD5:46295CAC801E5D4857D09837238A6394
                                                                                                                                                                                                                                        SHA1:44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
                                                                                                                                                                                                                                        SHA-256:0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
                                                                                                                                                                                                                                        SHA-512:8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MANIFEST-000001.

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Extension Rules\000003.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):38
                                                                                                                                                                                                                                        Entropy (8bit):1.8784775129881184
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:FQxlXNQxlX:qTCT
                                                                                                                                                                                                                                        MD5:51A2CBB807F5085530DEC18E45CB8569
                                                                                                                                                                                                                                        SHA1:7AD88CD3DE5844C7FC269C4500228A630016AB5B
                                                                                                                                                                                                                                        SHA-256:1C43A1BDA1E458863C46DFAE7FB43BFB3E27802169F37320399B1DD799A819AC
                                                                                                                                                                                                                                        SHA-512:B643A8FA75EDA90C89AB98F79D4D022BB81F1F62F50ED4E5440F487F22D1163671EC3AE73C4742C11830214173FF2935C785018318F4A4CAD413AE4EEEF985DF
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.f.5................f.5...............

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Extension Rules\CURRENT (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:ASCII text
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16
                                                                                                                                                                                                                                        Entropy (8bit):3.2743974703476995
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:1sjgWIV//Uv:1qIFUv
                                                                                                                                                                                                                                        MD5:46295CAC801E5D4857D09837238A6394
                                                                                                                                                                                                                                        SHA1:44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
                                                                                                                                                                                                                                        SHA-256:0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
                                                                                                                                                                                                                                        SHA-512:8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MANIFEST-000001.

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Extension Rules\LOG

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:ASCII text
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):275
                                                                                                                                                                                                                                        Entropy (8bit):5.189755700938738
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:IWLSR1N723NLdpaVdg2KLl6WL6u5QL+q2PN723NLdpaPrqIFUv:NLAaXHL1L6uS+vVaXo3FUv
                                                                                                                                                                                                                                        MD5:4D8833B44E736D98D4C612F9C0F9A4A4
                                                                                                                                                                                                                                        SHA1:E81F9AE2763A3755568C4E6B7395B3D0F8901712
                                                                                                                                                                                                                                        SHA-256:4B7AE3294BBAC26BF134C8DC65E071A4608382B8FFA06D5154CE871FC42729A5
                                                                                                                                                                                                                                        SHA-512:1CB2397440215EC9E4B757D59863DE28880441BBE3ACAE0626793124DB8AF66262E8C29C70A3E537F939EFCA7EB906A0AC69FA8A21570D657E0BF6EE74161C1F
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:2024/04/23-07:40:21.706 1cec Creating DB C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Extension Rules since it was missing..2024/04/23-07:40:21.887 1cec Reusing MANIFEST C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Extension Rules/MANIFEST-000001.

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Extension Rules\MANIFEST-000001

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:OpenPGP Secret Key
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):41
                                                                                                                                                                                                                                        Entropy (8bit):4.704993772857998
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:scoBAIxQRDKIVjn:scoBY7jn
                                                                                                                                                                                                                                        MD5:5AF87DFD673BA2115E2FCF5CFDB727AB
                                                                                                                                                                                                                                        SHA1:D5B5BBF396DC291274584EF71F444F420B6056F1
                                                                                                                                                                                                                                        SHA-256:F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
                                                                                                                                                                                                                                        SHA-512:DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.|.."....leveldb.BytewiseComparator......

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Extension Scripts\000001.dbtmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:ASCII text
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16
                                                                                                                                                                                                                                        Entropy (8bit):3.2743974703476995
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:1sjgWIV//Uv:1qIFUv
                                                                                                                                                                                                                                        MD5:46295CAC801E5D4857D09837238A6394
                                                                                                                                                                                                                                        SHA1:44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
                                                                                                                                                                                                                                        SHA-256:0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
                                                                                                                                                                                                                                        SHA-512:8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MANIFEST-000001.

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Extension Scripts\000003.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):38
                                                                                                                                                                                                                                        Entropy (8bit):1.8784775129881184
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:FQxlXNQxlX:qTCT
                                                                                                                                                                                                                                        MD5:51A2CBB807F5085530DEC18E45CB8569
                                                                                                                                                                                                                                        SHA1:7AD88CD3DE5844C7FC269C4500228A630016AB5B
                                                                                                                                                                                                                                        SHA-256:1C43A1BDA1E458863C46DFAE7FB43BFB3E27802169F37320399B1DD799A819AC
                                                                                                                                                                                                                                        SHA-512:B643A8FA75EDA90C89AB98F79D4D022BB81F1F62F50ED4E5440F487F22D1163671EC3AE73C4742C11830214173FF2935C785018318F4A4CAD413AE4EEEF985DF
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.f.5................f.5...............

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Extension Scripts\CURRENT (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:ASCII text
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16
                                                                                                                                                                                                                                        Entropy (8bit):3.2743974703476995
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:1sjgWIV//Uv:1qIFUv
                                                                                                                                                                                                                                        MD5:46295CAC801E5D4857D09837238A6394
                                                                                                                                                                                                                                        SHA1:44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
                                                                                                                                                                                                                                        SHA-256:0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
                                                                                                                                                                                                                                        SHA-512:8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MANIFEST-000001.

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Extension Scripts\LOG

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:ASCII text
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):279
                                                                                                                                                                                                                                        Entropy (8bit):5.161195366709879
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:IvF1N723NLdp6FB2KLl6RfApQL+q2PN723NLdp65IFUv:6aXQFFLxi+vVaXQWFUv
                                                                                                                                                                                                                                        MD5:E536D7A4E602182DFEA54130868FC9C7
                                                                                                                                                                                                                                        SHA1:B3B02A1D5E119F1693B1D597EA782697F3201D0B
                                                                                                                                                                                                                                        SHA-256:4468739FD213E43D98EF5F536DB99C9A0C623450EDB03C14379C90CFADF3D60B
                                                                                                                                                                                                                                        SHA-512:12DB308D65BC2F6E58DAC4F736067AFD43E6322A3F29AD0E00B7D9AEBCC833D2AE914E693D2F1DF28B454F800D4C498A232F8D2DA3481180330FA55B2468DA33
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:2024/04/23-07:40:22.033 1cec Creating DB C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Extension Scripts since it was missing..2024/04/23-07:40:22.295 1cec Reusing MANIFEST C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Extension Scripts/MANIFEST-000001.

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Extension Scripts\MANIFEST-000001

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:OpenPGP Secret Key
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):41
                                                                                                                                                                                                                                        Entropy (8bit):4.704993772857998
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:scoBAIxQRDKIVjn:scoBY7jn
                                                                                                                                                                                                                                        MD5:5AF87DFD673BA2115E2FCF5CFDB727AB
                                                                                                                                                                                                                                        SHA1:D5B5BBF396DC291274584EF71F444F420B6056F1
                                                                                                                                                                                                                                        SHA-256:F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
                                                                                                                                                                                                                                        SHA-512:DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.|.."....leveldb.BytewiseComparator......

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Extension State\000001.dbtmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:ASCII text
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16
                                                                                                                                                                                                                                        Entropy (8bit):3.2743974703476995
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:1sjgWIV//Uv:1qIFUv
                                                                                                                                                                                                                                        MD5:46295CAC801E5D4857D09837238A6394
                                                                                                                                                                                                                                        SHA1:44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
                                                                                                                                                                                                                                        SHA-256:0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
                                                                                                                                                                                                                                        SHA-512:8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MANIFEST-000001.

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Extension State\000003.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):114
                                                                                                                                                                                                                                        Entropy (8bit):1.8784775129881184
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:FQxlXNQxlXNQxlXNQxlXNQxlXNQxlX:qTCTCTCTCTCT
                                                                                                                                                                                                                                        MD5:891A884B9FA2BFF4519F5F56D2A25D62
                                                                                                                                                                                                                                        SHA1:B54A3C12EE78510CB269FB1D863047DD8F571DEA
                                                                                                                                                                                                                                        SHA-256:E2610960C3757D1757F206C7B84378EFA22D86DCF161A98096A5F0E56E1A367E
                                                                                                                                                                                                                                        SHA-512:CD50C3EE4DFB9C4EC051B20DD1E148A5015457EE0C1A29FFF482E62291B32097B07A069DB62951B32F209FD118FD77A46B8E8CC92DA3EAAE6110735D126A90EE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.f.5................f.5................f.5................f.5................f.5................f.5...............

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Extension State\CURRENT (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:ASCII text
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16
                                                                                                                                                                                                                                        Entropy (8bit):3.2743974703476995
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:1sjgWIV//Uv:1qIFUv
                                                                                                                                                                                                                                        MD5:46295CAC801E5D4857D09837238A6394
                                                                                                                                                                                                                                        SHA1:44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
                                                                                                                                                                                                                                        SHA-256:0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
                                                                                                                                                                                                                                        SHA-512:8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MANIFEST-000001.

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Extension State\LOG

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:ASCII text
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):275
                                                                                                                                                                                                                                        Entropy (8bit):5.147481710129493
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:Ik1N723NLdpYg2KLl6KVSu5QL+q2PN723NLdpNIFUv:LaXNL3++vVaXwFUv
                                                                                                                                                                                                                                        MD5:46FE18FE36610E2EF0A26C571258676F
                                                                                                                                                                                                                                        SHA1:1B8059C4D0DF48B97CD84CA9572ED16E20C094DB
                                                                                                                                                                                                                                        SHA-256:9EA58BB90D63836A1707316138A5238082CCACE80AE5622928619258AD9D06FC
                                                                                                                                                                                                                                        SHA-512:0B615268BC355EBCD993F1CC124D7686997CFA7542E540F8673D5404C374EB92C0C79602A14BFB6A33FF2F0497F8BAF300346D789C2BF56F85F36FB5D25BA4CC
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:2024/04/23-07:40:22.634 1cec Creating DB C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Extension State since it was missing..2024/04/23-07:40:22.907 1cec Reusing MANIFEST C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Extension State/MANIFEST-000001.

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Extension State\MANIFEST-000001

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:OpenPGP Secret Key
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):41
                                                                                                                                                                                                                                        Entropy (8bit):4.704993772857998
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:scoBAIxQRDKIVjn:scoBY7jn
                                                                                                                                                                                                                                        MD5:5AF87DFD673BA2115E2FCF5CFDB727AB
                                                                                                                                                                                                                                        SHA1:D5B5BBF396DC291274584EF71F444F420B6056F1
                                                                                                                                                                                                                                        SHA-256:F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
                                                                                                                                                                                                                                        SHA-512:DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.|.."....leveldb.BytewiseComparator......

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\ExtensionActivityComp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 1, cookie 0x1, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):4096
                                                                                                                                                                                                                                        Entropy (8bit):0.3169096321222068
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:lSWbNFl/sl+ltl4ltllOl83/XWEEabIDWzdWuAzTgdWj3FtFIU:l9bNFlEs1ok8fDEPDadUTgd81Z
                                                                                                                                                                                                                                        MD5:2554AD7847B0D04963FDAE908DB81074
                                                                                                                                                                                                                                        SHA1:F84ABD8D05D7B0DFB693485614ECF5204989B74A
                                                                                                                                                                                                                                        SHA-256:F6EF01E679B9096A7D8A0BD8151422543B51E65142119A9F3271F25F966E6C42
                                                                                                                                                                                                                                        SHA-512:13009172518387D77A67BBF86719527077BE9534D90CB06E7F34E1CCE7C40B49A185D892EE859A8BAFB69D5EBB6D667831A0FAFBA28AC1F44570C8B68F8C90A4
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\ExtensionActivityEdge

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 2, database pages 8, cookie 0x8, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):0.40981274649195937
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:TL1WK3iOvwxwwweePKmJIOAdQBVA/kjo/TJZwJ9OV3WOT/5eQQ:Tmm+/9ZW943WOT/
                                                                                                                                                                                                                                        MD5:1A7F642FD4F71A656BE75B26B2D9ED79
                                                                                                                                                                                                                                        SHA1:51BBF587FB0CCC2D726DDB95C96757CC2854CFAD
                                                                                                                                                                                                                                        SHA-256:B96B6DDC10C29496069E16089DB0AB6911D7C13B82791868D583897C6D317977
                                                                                                                                                                                                                                        SHA-512:FD14EADCF5F7AB271BE6D8EF682977D1A0B5199A142E4AB353614F2F96AE9B49A6F35A19CC237489F297141994A4A16B580F88FAC44486FCB22C05B2F1C3F7D1
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:SQLite format 3......@ ..........................................................................j............M.....8...b..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Favicons

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 11, cookie 0x8, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):22528
                                                                                                                                                                                                                                        Entropy (8bit):2.2584256729322814
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:RBmw6fU1zB+SexkSYwh7G5K1oCA6YRVTldeS/dB6SNxgWfDSsRW1kftgKpVZNofi:RBCyjexFYwh7GyoB68x3/1n0XKpVEfi
                                                                                                                                                                                                                                        MD5:217A43FB8F6BAE250761297D88ABA7FD
                                                                                                                                                                                                                                        SHA1:DB0F76BC6C2281E5E033850283BE8584A4410380
                                                                                                                                                                                                                                        SHA-256:2C940F9219440C5AEB2702B35B710F923FBDD0488B5BE9943BBDD4227D3DD1E3
                                                                                                                                                                                                                                        SHA-512:478A8D4E1AEBBD651DA76FAE8DDC5AA0B4F0DB25F60FEC1F7A18BC9CDFCDDBBCD7DC671234A8C6D84ACCE2817039C2D89F475F1DCCAA17A662EED3A614C8BBDF
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:SQLite format 3......@ ..........................................................................j..........g....._.c...~.2.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................s...;+...indexfavicon_bitmaps_icon_idfavico

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\GPUCache\data_0

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):8192
                                                                                                                                                                                                                                        Entropy (8bit):0.01057775872642915
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:MsFl:/F
                                                                                                                                                                                                                                        MD5:CF89D16BB9107C631DAABF0C0EE58EFB
                                                                                                                                                                                                                                        SHA1:3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
                                                                                                                                                                                                                                        SHA-256:D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
                                                                                                                                                                                                                                        SHA-512:8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\GPUCache\data_1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):270336
                                                                                                                                                                                                                                        Entropy (8bit):8.280239615765425E-4
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:MsEllllkEthXllkl2:/M/xT02
                                                                                                                                                                                                                                        MD5:D0D388F3865D0523E451D6BA0BE34CC4
                                                                                                                                                                                                                                        SHA1:8571C6A52AACC2747C048E3419E5657B74612995
                                                                                                                                                                                                                                        SHA-256:902F30C1FB0597D0734BC34B979EC5D131F8F39A4B71B338083821216EC8D61B
                                                                                                                                                                                                                                        SHA-512:376011D00DE659EB6082A74E862CFAC97A9BB508E0B740761505142E2D24EC1C30AA61EFBC1C0DD08FF0F34734444DE7F77DD90A6CA42B48A4C7FAD5F0BDDD17
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\GPUCache\data_2

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):8192
                                                                                                                                                                                                                                        Entropy (8bit):0.011852361981932763
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:MsHlDll:/H
                                                                                                                                                                                                                                        MD5:0962291D6D367570BEE5454721C17E11
                                                                                                                                                                                                                                        SHA1:59D10A893EF321A706A9255176761366115BEDCB
                                                                                                                                                                                                                                        SHA-256:EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
                                                                                                                                                                                                                                        SHA-512:F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\GPUCache\data_3

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):8192
                                                                                                                                                                                                                                        Entropy (8bit):0.012340643231932763
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:MsGl3ll:/y
                                                                                                                                                                                                                                        MD5:41876349CB12D6DB992F1309F22DF3F0
                                                                                                                                                                                                                                        SHA1:5CF26B3420FC0302CD0A71E8D029739B8765BE27
                                                                                                                                                                                                                                        SHA-256:E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
                                                                                                                                                                                                                                        SHA-512:E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\GPUCache\index

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):262512
                                                                                                                                                                                                                                        Entropy (8bit):9.553120663130604E-4
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:LsNlWKl/:Ls3N
                                                                                                                                                                                                                                        MD5:B4E797D06FD3C539A8A2B7B2835F9625
                                                                                                                                                                                                                                        SHA1:2186499BD573CBA730433B12AEA341C192E31F0C
                                                                                                                                                                                                                                        SHA-256:CB94F3FB24AEC367FC0F30BE392BF00C6D16581DE693E59B56909BCBED7A323E
                                                                                                                                                                                                                                        SHA-512:DF3D60EEB2CF7B5A93DB1AA5B7C5AAAECB4E9899EDDF4725DD487DD12CFDAA9ED48F342B5BA15CFB0209A76D25D8DF6180B9ABD757031FE4478B778453163502
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...........................................ESu/.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\History

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 2, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):155648
                                                                                                                                                                                                                                        Entropy (8bit):0.6225559993199978
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:+ImY5N7LVWyejzH+bDoYysX0IxQzwkHtpVJNlYDLjGQLBE3CeE0kEky/pV:+jAshH+bDo3iN0w2TVJkXBBE3ybr0z
                                                                                                                                                                                                                                        MD5:B856CD2C96B486B638943B5AAB211764
                                                                                                                                                                                                                                        SHA1:FDDA4D089EC13337E30D9AAE13A58908AE31AA5E
                                                                                                                                                                                                                                        SHA-256:E8CCEE2BB5A7C79CF258C20E67911778D86AEA22CFE3189E6239009BE8A5ACCB
                                                                                                                                                                                                                                        SHA-512:2CCB884B2B454156A0F6854F322CE702B22D027E9B9506CE38614176961D6C4926E907AA9D0EBB44652295EEADB65C979CB2205E4772409A1930243B59EC4758
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\History-journal

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):8720
                                                                                                                                                                                                                                        Entropy (8bit):0.21880421027789762
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:k/ljtFlljq7A/mhWJFuQ3yy7IOWUYp/4dweytllrE9SFcTp4AGbNCV9RUIRd:k/K75fOGpQd0Xi99pEYF
                                                                                                                                                                                                                                        MD5:DAB7E54BDF9E10E23E0BB2284A125D19
                                                                                                                                                                                                                                        SHA1:631FF9C9025C6768FF9E6132CB236928454743E6
                                                                                                                                                                                                                                        SHA-256:ED093B64C8A88FB6361845C82AE8A468594D6A70BA87A78990F86CFD8E551A5C
                                                                                                                                                                                                                                        SHA-512:44D573791D2D2D57FC74D04039F702B1183FC0A510FD31BD4CA74CFCA860CCD8EF3076380D3580759C9DEFDB84DF77AB2E6EB34DDD985D4C7F6000E360964576
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...................&....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Local Storage\leveldb\000001.dbtmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:ASCII text
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16
                                                                                                                                                                                                                                        Entropy (8bit):3.2743974703476995
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:1sjgWIV//Uv:1qIFUv
                                                                                                                                                                                                                                        MD5:46295CAC801E5D4857D09837238A6394
                                                                                                                                                                                                                                        SHA1:44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
                                                                                                                                                                                                                                        SHA-256:0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
                                                                                                                                                                                                                                        SHA-512:8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MANIFEST-000001.

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Local Storage\leveldb\CURRENT (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:ASCII text
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16
                                                                                                                                                                                                                                        Entropy (8bit):3.2743974703476995
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:1sjgWIV//Uv:1qIFUv
                                                                                                                                                                                                                                        MD5:46295CAC801E5D4857D09837238A6394
                                                                                                                                                                                                                                        SHA1:44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
                                                                                                                                                                                                                                        SHA-256:0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
                                                                                                                                                                                                                                        SHA-512:8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MANIFEST-000001.

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Local Storage\leveldb\LOG

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:ASCII text
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):287
                                                                                                                                                                                                                                        Entropy (8bit):5.185371223134144
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:IULVFUYF4M1N723NLd1a2jM8B2KLl6e0Mq2PN723NLd1a2jMGIFUv:ZuYF4saX1jFLGMvVaX1EFUv
                                                                                                                                                                                                                                        MD5:DB07E33508608CCC882886F8D62F2C27
                                                                                                                                                                                                                                        SHA1:C4C4A31A7041392C40680708277C2636D40324DD
                                                                                                                                                                                                                                        SHA-256:723195A35299E4876D39C504295A57E39B2F41E26EC402838E6361B14266D435
                                                                                                                                                                                                                                        SHA-512:AFDA5BCA39603031463B24B89B045A2AACFC94A42AB77CA1448882CBE44C06FBA4D3B64A1C924D12F0E9E93D551D56274419AEA852D523432888907113D05545
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:2024/04/23-07:40:23.909 1e44 Creating DB C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Local Storage\leveldb since it was missing..2024/04/23-07:40:24.103 1e44 Reusing MANIFEST C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Local Storage\leveldb/MANIFEST-000001.

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Local Storage\leveldb\MANIFEST-000001

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:OpenPGP Secret Key
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):41
                                                                                                                                                                                                                                        Entropy (8bit):4.704993772857998
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:scoBAIxQRDKIVjn:scoBY7jn
                                                                                                                                                                                                                                        MD5:5AF87DFD673BA2115E2FCF5CFDB727AB
                                                                                                                                                                                                                                        SHA1:D5B5BBF396DC291274584EF71F444F420B6056F1
                                                                                                                                                                                                                                        SHA-256:F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
                                                                                                                                                                                                                                        SHA-512:DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.|.."....leveldb.BytewiseComparator......

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Login Data

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 21, cookie 0xc, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):43008
                                                                                                                                                                                                                                        Entropy (8bit):0.9009435143901008
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:C2BeymwLCn8MouB6wzFlXqiEqUvJKLuyn:C2TLG7IwRFqidn
                                                                                                                                                                                                                                        MD5:FB3D677576C25FF04A308A1F627410B7
                                                                                                                                                                                                                                        SHA1:97D530911F9CB0C37717ABB145D748982ADA0440
                                                                                                                                                                                                                                        SHA-256:A79300470D18AF26E3C5B4F23F81915B92D490105CE84A8122BF8100EC0C7517
                                                                                                                                                                                                                                        SHA-512:ED6666B064958B107E55BD76E52D2E5BF7A4791379902D208EF909A6B68803240D372CE03641249EB917C241B36A5684656A48D099A8A084AD34BA009857B098
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Network Action Predictor

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 11, cookie 0x6, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):45056
                                                                                                                                                                                                                                        Entropy (8bit):0.4486816579016039
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:Tmo9n+8dv/qALihje9kqL42WOT/9F02L:L9n+8d3qAuhjspnWOvR
                                                                                                                                                                                                                                        MD5:C4DC8FEBBA70F88B0CEACC238971F6F9
                                                                                                                                                                                                                                        SHA1:A59D7AA8593F4B713AB391D2035918D7F437E2E3
                                                                                                                                                                                                                                        SHA-256:A456651A688CC69BA9BF4A79654F2A0FD057262F09EF48F254B8440E2AF5C6FC
                                                                                                                                                                                                                                        SHA-512:10EE072971112A7786983A9F2A17DF8F7BF8741BABF2ADC00051AC1440A0184C375C444D810EE963337CE8BFD54C95B699AD94147F0699F2B90BDF028A428BB5
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:SQLite format 3......@ ..........................................................................j.......=......\.t.+.>...,...=........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Network\2fb902e0-8353-4bf2-bcd5-39197ad830dc.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2
                                                                                                                                                                                                                                        Entropy (8bit):1.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:H:H
                                                                                                                                                                                                                                        MD5:D751713988987E9331980363E24189CE
                                                                                                                                                                                                                                        SHA1:97D170E1550EEE4AFC0AF065B78CDA302A97674C
                                                                                                                                                                                                                                        SHA-256:4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
                                                                                                                                                                                                                                        SHA-512:B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:[]

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Network\4b839960-fe9f-4ff9-a331-a0feb4eccd02.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2
                                                                                                                                                                                                                                        Entropy (8bit):1.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:H:H
                                                                                                                                                                                                                                        MD5:D751713988987E9331980363E24189CE
                                                                                                                                                                                                                                        SHA1:97D170E1550EEE4AFC0AF065B78CDA302A97674C
                                                                                                                                                                                                                                        SHA-256:4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
                                                                                                                                                                                                                                        SHA-512:B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:[]

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Network\53bcaeff-eca9-44ac-a82e-b0c92319b150.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):59
                                                                                                                                                                                                                                        Entropy (8bit):4.619434150836742
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:YLbkVKJq0nMb1KKtiVY:YHkVKJTnMRK3VY
                                                                                                                                                                                                                                        MD5:2800881C775077E1C4B6E06BF4676DE4
                                                                                                                                                                                                                                        SHA1:2873631068C8B3B9495638C865915BE822442C8B
                                                                                                                                                                                                                                        SHA-256:226EEC4486509917AA336AFEBD6FF65777B75B65F1FB06891D2A857A9421A974
                                                                                                                                                                                                                                        SHA-512:E342407AB65CC68F1B3FD706CD0A37680A0864FFD30A6539730180EDE2CDCD732CC97AE0B9EF7DB12DA5C0F83E429DF0840DBF7596ACA859A0301665E517377B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Network\Cookies

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 8, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 8
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.4352197702888727
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:TsKLopF+SawLUO1Xj8BOKWYlNbz9zFTy58iiBX0oMoZ6wi0o:te+AuOKWSTyyiiBERo2
                                                                                                                                                                                                                                        MD5:98994591CA45C630E1E94DAA62D8FDF3
                                                                                                                                                                                                                                        SHA1:FA22706657D2A71072AE152D55D420EB2A1799B7
                                                                                                                                                                                                                                        SHA-256:0A7FA6A6042363E3C53DAC847F5A6047D5532B0E9F0A7B6195FDB55DF4F655A8
                                                                                                                                                                                                                                        SHA-512:F525F070798D03E0414825C725819921283027A92D5D7F6E7DBFBD30B9E7B89B55DC908FF7DBA7E6D0611E0AF554294D3E1DDCCD81C772F0DA25959DAB447E8C
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Network\Network Persistent State (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):59
                                                                                                                                                                                                                                        Entropy (8bit):4.619434150836742
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:YLbkVKJq0nMb1KKtiVY:YHkVKJTnMRK3VY
                                                                                                                                                                                                                                        MD5:2800881C775077E1C4B6E06BF4676DE4
                                                                                                                                                                                                                                        SHA1:2873631068C8B3B9495638C865915BE822442C8B
                                                                                                                                                                                                                                        SHA-256:226EEC4486509917AA336AFEBD6FF65777B75B65F1FB06891D2A857A9421A974
                                                                                                                                                                                                                                        SHA-512:E342407AB65CC68F1B3FD706CD0A37680A0864FFD30A6539730180EDE2CDCD732CC97AE0B9EF7DB12DA5C0F83E429DF0840DBF7596ACA859A0301665E517377B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Network\Network Persistent State~RF471b20.TMP (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):59
                                                                                                                                                                                                                                        Entropy (8bit):4.619434150836742
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:YLbkVKJq0nMb1KKtiVY:YHkVKJTnMRK3VY
                                                                                                                                                                                                                                        MD5:2800881C775077E1C4B6E06BF4676DE4
                                                                                                                                                                                                                                        SHA1:2873631068C8B3B9495638C865915BE822442C8B
                                                                                                                                                                                                                                        SHA-256:226EEC4486509917AA336AFEBD6FF65777B75B65F1FB06891D2A857A9421A974
                                                                                                                                                                                                                                        SHA-512:E342407AB65CC68F1B3FD706CD0A37680A0864FFD30A6539730180EDE2CDCD732CC97AE0B9EF7DB12DA5C0F83E429DF0840DBF7596ACA859A0301665E517377B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Network\Network Persistent State~RF47dfa8.TMP (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):59
                                                                                                                                                                                                                                        Entropy (8bit):4.619434150836742
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:YLbkVKJq0nMb1KKtiVY:YHkVKJTnMRK3VY
                                                                                                                                                                                                                                        MD5:2800881C775077E1C4B6E06BF4676DE4
                                                                                                                                                                                                                                        SHA1:2873631068C8B3B9495638C865915BE822442C8B
                                                                                                                                                                                                                                        SHA-256:226EEC4486509917AA336AFEBD6FF65777B75B65F1FB06891D2A857A9421A974
                                                                                                                                                                                                                                        SHA-512:E342407AB65CC68F1B3FD706CD0A37680A0864FFD30A6539730180EDE2CDCD732CC97AE0B9EF7DB12DA5C0F83E429DF0840DBF7596ACA859A0301665E517377B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Network\Reporting and NEL

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 9, cookie 0x4, schema 4, UTF-8, version-valid-for 4
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):36864
                                                                                                                                                                                                                                        Entropy (8bit):0.5559635235158827
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:T6IopKWurJNVr1GJmA8pv82pfurJNVrdHXuccaurJN2VrJ1n4n1GmzNGU1cSB:OIEumQv8m1ccnvS6
                                                                                                                                                                                                                                        MD5:9AAAE8C040B616D1378F3E0E17689A29
                                                                                                                                                                                                                                        SHA1:F91E7DE07F1DA14D15D067E1F50C3B84A328DBB7
                                                                                                                                                                                                                                        SHA-256:5B94D63C31AE795661F69B9D10E8BFD115584CD6FEF5FBB7AA483FDC6A66945B
                                                                                                                                                                                                                                        SHA-512:436202AB8B6BB0318A30946108E6722DFF781F462EE05980C14F57F347EDDCF8119E236C3290B580CEF6902E1B59FB4F546D6BD69F62479805B39AB0F3308EC1
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:SQLite format 3......@ ..........................................................................j..........g...D.........7............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Network\SCT Auditing Pending Reports (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2
                                                                                                                                                                                                                                        Entropy (8bit):1.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:H:H
                                                                                                                                                                                                                                        MD5:D751713988987E9331980363E24189CE
                                                                                                                                                                                                                                        SHA1:97D170E1550EEE4AFC0AF065B78CDA302A97674C
                                                                                                                                                                                                                                        SHA-256:4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
                                                                                                                                                                                                                                        SHA-512:B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:[]

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Network\SCT Auditing Pending Reports~RF46b38c.TMP (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2
                                                                                                                                                                                                                                        Entropy (8bit):1.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:H:H
                                                                                                                                                                                                                                        MD5:D751713988987E9331980363E24189CE
                                                                                                                                                                                                                                        SHA1:97D170E1550EEE4AFC0AF065B78CDA302A97674C
                                                                                                                                                                                                                                        SHA-256:4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
                                                                                                                                                                                                                                        SHA-512:B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:[]

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Network\Sdch Dictionaries (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):40
                                                                                                                                                                                                                                        Entropy (8bit):4.1275671571169275
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:Y2ktGMxkAXWMSN:Y2xFMSN
                                                                                                                                                                                                                                        MD5:20D4B8FA017A12A108C87F540836E250
                                                                                                                                                                                                                                        SHA1:1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
                                                                                                                                                                                                                                        SHA-256:6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
                                                                                                                                                                                                                                        SHA-512:507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:{"SDCH":{"dictionaries":{},"version":2}}

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Network\Trust Tokens

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 9, cookie 0x6, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):36864
                                                                                                                                                                                                                                        Entropy (8bit):0.36515621748816035
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:TLH3lIIAoDJ84l5lDlnDMlRlyKDtM6UwccWfp15fBIe:Tb31DtX5nDOvyKDhU1cSB
                                                                                                                                                                                                                                        MD5:25363ADC3C9D98BAD1A33D0792405CBF
                                                                                                                                                                                                                                        SHA1:D06E343087D86EF1A06F7479D81B26C90A60B5C3
                                                                                                                                                                                                                                        SHA-256:6E019B8B9E389216D5BDF1F2FE63F41EF98E71DA101F2A6BE04F41CC5954532D
                                                                                                                                                                                                                                        SHA-512:CF7EEE35D0E00945AF221BEC531E8BF06C08880DA00BD103FA561BC069D7C6F955CBA3C1C152A4884601E5A670B7487D39B4AE9A4D554ED8C14F129A74E555F7
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:SQLite format 3......@ ..........................................................................j.......X..g...}.....$.X..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Network\a59528fe-9579-40d7-8306-9ca73878be19.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):59
                                                                                                                                                                                                                                        Entropy (8bit):4.619434150836742
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:YLbkVKJq0nMb1KKqk1Yn:YHkVKJTnMRKXk1Yn
                                                                                                                                                                                                                                        MD5:78BFCECB05ED1904EDCE3B60CB5C7E62
                                                                                                                                                                                                                                        SHA1:BF77A7461DE9D41D12AA88FBA056BA758793D9CE
                                                                                                                                                                                                                                        SHA-256:C257F929CFF0E4380BF08D9F36F310753F7B1CCB5CB2AB811B52760DD8CB9572
                                                                                                                                                                                                                                        SHA-512:2420DFF6EB853F5E1856CDAB99561A896EA0743FCFF3E04B37CB87EDDF063770608A30C6FFB0319E5D353B0132C5F8135B7082488E425666B2C22B753A6A4D73
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Network\df86865d-187a-4dba-9edf-5864583a0184.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):40
                                                                                                                                                                                                                                        Entropy (8bit):4.1275671571169275
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:Y2ktGMxkAXWMSN:Y2xFMSN
                                                                                                                                                                                                                                        MD5:20D4B8FA017A12A108C87F540836E250
                                                                                                                                                                                                                                        SHA1:1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
                                                                                                                                                                                                                                        SHA-256:6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
                                                                                                                                                                                                                                        SHA-512:507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:{"SDCH":{"dictionaries":{},"version":2}}

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Network\f05e19a7-0f21-4548-a6b8-78e1111dd334.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):862
                                                                                                                                                                                                                                        Entropy (8bit):5.294196473440683
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:YXsWkEZ9ji/sW88ZVQ/sWyKZVQlfbA7n7:YXsmNKshkOsO8fbm
                                                                                                                                                                                                                                        MD5:77B5A2AD27F6391135A63CB9FA8AC8A4
                                                                                                                                                                                                                                        SHA1:A0A67D405093D170FFB94C84BB7016C0664133B9
                                                                                                                                                                                                                                        SHA-256:BDEF7DE4D5901F6A36617914F16BA191FD6CCA25D0E839C837B7B0B1BBAEC6E4
                                                                                                                                                                                                                                        SHA-512:4BFF321304A2024AEB32F58EBFB2EBB03A7C4D43072EC137DE98A809BE40AFC705E7F79FEE5A0B66A2D4BD517D30FA7CECFA9C0AB22043A8E4C3130BDA61FF9C
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:{"net":{"http_server_properties":{"servers":[{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13360916430535447","port":443,"protocol_str":"quic"}],"anonymization":["GAAAABQAAABodHRwczovL2JpdGNvbWV0LmNvbQ==",false],"server":"https://www.googletagmanager.com"},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13360916440678673","port":443,"protocol_str":"quic"}],"anonymization":["GAAAABIAAABodHRwczovL2FwcGhpdC5jb20AAA==",false],"server":"https://www.googletagmanager.com"},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13360916444417261","port":443,"protocol_str":"quic"}],"anonymization":["GAAAABIAAABodHRwczovL2FwcGhpdC5jb20AAA==",false],"server":"https://www.google-analytics.com"}],"supports_quic":{"address":"192.168.2.6","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Preferences (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):5921
                                                                                                                                                                                                                                        Entropy (8bit):4.812062699996183
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:stv/h5s13Ob9ING8zwd85eh6Cb7/x+6MhmuecU61eAe+d2MR7K:st33s3GkW88bV+Fw6QArPhK
                                                                                                                                                                                                                                        MD5:05636BBD7F605888C776B3CB50B4EC1E
                                                                                                                                                                                                                                        SHA1:50839EDF903215E0DC565862F1DDC2E28966018D
                                                                                                                                                                                                                                        SHA-256:90DDA2EC557E526F78F8447FF36CF2463B73235D29FFF7D98291424B3ADC0E82
                                                                                                                                                                                                                                        SHA-512:7ABEF95973E6950D5FA8432345DE4C5384BD908D77758989A87A497E72DA2D8F41AE1BC3EA0782047DA3D7C543619E6C6FAABEB554F22D4E782D24E4F756FAC8
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13358324422264540","alternate_error_pages":{"backup":true,"enabled":false},"autocomplete":{"retention_policy_last_version":117},"autofill":{"autostuff_enabled":false,"credit_card_enabled":false,"custom_data_enabled":false,"custom_data_fill_enabled":false,"custom_data_identify_info_from_form_enabled":false,"custom_data_save_enabled":false},"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"browser_content_container_height":140,"browser_content_container_width":407,"browser_content_container_x":0,"browser_content_container_y":0,"countryid_at_install":17224,"credentials_enable_service":false,"dips_timer_last_update":"13358324422059613","domain_diversity":{"last_reporting_timestamp":"13358324422263770"},"dual_user":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Preferences~RF46ff6a.TMP (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):5921
                                                                                                                                                                                                                                        Entropy (8bit):4.812062699996183
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:stv/h5s13Ob9ING8zwd85eh6Cb7/x+6MhmuecU61eAe+d2MR7K:st33s3GkW88bV+Fw6QArPhK
                                                                                                                                                                                                                                        MD5:05636BBD7F605888C776B3CB50B4EC1E
                                                                                                                                                                                                                                        SHA1:50839EDF903215E0DC565862F1DDC2E28966018D
                                                                                                                                                                                                                                        SHA-256:90DDA2EC557E526F78F8447FF36CF2463B73235D29FFF7D98291424B3ADC0E82
                                                                                                                                                                                                                                        SHA-512:7ABEF95973E6950D5FA8432345DE4C5384BD908D77758989A87A497E72DA2D8F41AE1BC3EA0782047DA3D7C543619E6C6FAABEB554F22D4E782D24E4F756FAC8
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13358324422264540","alternate_error_pages":{"backup":true,"enabled":false},"autocomplete":{"retention_policy_last_version":117},"autofill":{"autostuff_enabled":false,"credit_card_enabled":false,"custom_data_enabled":false,"custom_data_fill_enabled":false,"custom_data_identify_info_from_form_enabled":false,"custom_data_save_enabled":false},"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"browser_content_container_height":140,"browser_content_container_width":407,"browser_content_container_x":0,"browser_content_container_y":0,"countryid_at_install":17224,"credentials_enable_service":false,"dips_timer_last_update":"13358324422059613","domain_diversity":{"last_reporting_timestamp":"13358324422263770"},"dual_user":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Preferences~RF472a23.TMP (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):5921
                                                                                                                                                                                                                                        Entropy (8bit):4.812062699996183
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:stv/h5s13Ob9ING8zwd85eh6Cb7/x+6MhmuecU61eAe+d2MR7K:st33s3GkW88bV+Fw6QArPhK
                                                                                                                                                                                                                                        MD5:05636BBD7F605888C776B3CB50B4EC1E
                                                                                                                                                                                                                                        SHA1:50839EDF903215E0DC565862F1DDC2E28966018D
                                                                                                                                                                                                                                        SHA-256:90DDA2EC557E526F78F8447FF36CF2463B73235D29FFF7D98291424B3ADC0E82
                                                                                                                                                                                                                                        SHA-512:7ABEF95973E6950D5FA8432345DE4C5384BD908D77758989A87A497E72DA2D8F41AE1BC3EA0782047DA3D7C543619E6C6FAABEB554F22D4E782D24E4F756FAC8
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13358324422264540","alternate_error_pages":{"backup":true,"enabled":false},"autocomplete":{"retention_policy_last_version":117},"autofill":{"autostuff_enabled":false,"credit_card_enabled":false,"custom_data_enabled":false,"custom_data_fill_enabled":false,"custom_data_identify_info_from_form_enabled":false,"custom_data_save_enabled":false},"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"browser_content_container_height":140,"browser_content_container_width":407,"browser_content_container_x":0,"browser_content_container_y":0,"countryid_at_install":17224,"credentials_enable_service":false,"dips_timer_last_update":"13358324422059613","domain_diversity":{"last_reporting_timestamp":"13358324422263770"},"dual_user":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Preferences~RF47be93.TMP (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):5921
                                                                                                                                                                                                                                        Entropy (8bit):4.812062699996183
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:stv/h5s13Ob9ING8zwd85eh6Cb7/x+6MhmuecU61eAe+d2MR7K:st33s3GkW88bV+Fw6QArPhK
                                                                                                                                                                                                                                        MD5:05636BBD7F605888C776B3CB50B4EC1E
                                                                                                                                                                                                                                        SHA1:50839EDF903215E0DC565862F1DDC2E28966018D
                                                                                                                                                                                                                                        SHA-256:90DDA2EC557E526F78F8447FF36CF2463B73235D29FFF7D98291424B3ADC0E82
                                                                                                                                                                                                                                        SHA-512:7ABEF95973E6950D5FA8432345DE4C5384BD908D77758989A87A497E72DA2D8F41AE1BC3EA0782047DA3D7C543619E6C6FAABEB554F22D4E782D24E4F756FAC8
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13358324422264540","alternate_error_pages":{"backup":true,"enabled":false},"autocomplete":{"retention_policy_last_version":117},"autofill":{"autostuff_enabled":false,"credit_card_enabled":false,"custom_data_enabled":false,"custom_data_fill_enabled":false,"custom_data_identify_info_from_form_enabled":false,"custom_data_save_enabled":false},"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"browser_content_container_height":140,"browser_content_container_width":407,"browser_content_container_x":0,"browser_content_container_y":0,"countryid_at_install":17224,"credentials_enable_service":false,"dips_timer_last_update":"13358324422059613","domain_diversity":{"last_reporting_timestamp":"13358324422263770"},"dual_user":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Preferences~RF48a913.TMP (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):5921
                                                                                                                                                                                                                                        Entropy (8bit):4.812062699996183
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:stv/h5s13Ob9ING8zwd85eh6Cb7/x+6MhmuecU61eAe+d2MR7K:st33s3GkW88bV+Fw6QArPhK
                                                                                                                                                                                                                                        MD5:05636BBD7F605888C776B3CB50B4EC1E
                                                                                                                                                                                                                                        SHA1:50839EDF903215E0DC565862F1DDC2E28966018D
                                                                                                                                                                                                                                        SHA-256:90DDA2EC557E526F78F8447FF36CF2463B73235D29FFF7D98291424B3ADC0E82
                                                                                                                                                                                                                                        SHA-512:7ABEF95973E6950D5FA8432345DE4C5384BD908D77758989A87A497E72DA2D8F41AE1BC3EA0782047DA3D7C543619E6C6FAABEB554F22D4E782D24E4F756FAC8
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13358324422264540","alternate_error_pages":{"backup":true,"enabled":false},"autocomplete":{"retention_policy_last_version":117},"autofill":{"autostuff_enabled":false,"credit_card_enabled":false,"custom_data_enabled":false,"custom_data_fill_enabled":false,"custom_data_identify_info_from_form_enabled":false,"custom_data_save_enabled":false},"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"browser_content_container_height":140,"browser_content_container_width":407,"browser_content_container_x":0,"browser_content_container_y":0,"countryid_at_install":17224,"credentials_enable_service":false,"dips_timer_last_update":"13358324422059613","domain_diversity":{"last_reporting_timestamp":"13358324422263770"},"dual_user":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\PreferredApps

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):33
                                                                                                                                                                                                                                        Entropy (8bit):4.051821770808046
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:YVXADAEvTLSJ:Y9AcEvHSJ
                                                                                                                                                                                                                                        MD5:2B432FEF211C69C745ACA86DE4F8E4AB
                                                                                                                                                                                                                                        SHA1:4B92DA8D4C0188CF2409500ADCD2200444A82FCC
                                                                                                                                                                                                                                        SHA-256:42B55D126D1E640B1ED7A6BDCB9A46C81DF461FA7E131F4F8C7108C2C61C14DE
                                                                                                                                                                                                                                        SHA-512:948502DE4DC89A7E9D2E1660451FCD0F44FD3816072924A44F145D821D0363233CC92A377DBA3A0A9F849E3C17B1893070025C369C8120083A622D025FE1EACF
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:{"preferred_apps":[],"version":1}

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\README

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):182
                                                                                                                                                                                                                                        Entropy (8bit):4.2629097520179995
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:RGXKRjg0QwVIWRKXECSAV6jDyhjgHGAW+LB2Z4MKLFE1SwhiFAfXQmWyKBPMwRgK:z3frsUpAQQgHGwB26MK8Sw06fXQmWtRT
                                                                                                                                                                                                                                        MD5:643E00B0186AA80523F8A6BED550A925
                                                                                                                                                                                                                                        SHA1:EC4056125D6F1A8890FFE01BFFC973C2F6ABD115
                                                                                                                                                                                                                                        SHA-256:A0C9ABAE18599F0A65FC654AD36251F6330794BEA66B718A09D8B297F3E38E87
                                                                                                                                                                                                                                        SHA-512:D91A934EAF7D9D669B8AD4452234DE6B23D15237CB4D251F2C78C8339CEE7B4F9BA6B8597E35FE8C81B3D6F64AE707C68FF492903C0EDC3E4BAF2C6B747E247D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:Microsoft Edge settings and storage represent user-selected preferences and information and MUST not be extracted, overwritten or modified except through Microsoft Edge defined APIs.

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Secure Preferences (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):6780
                                                                                                                                                                                                                                        Entropy (8bit):5.580045113588475
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:vODizsPlf/ROoBpkF5d13iQ7VaTEv9V5h5pg5vezodIU81USpsA5IOrMn3YPo0MT:GOzYr389l5+SpFIOAn3go0iujk
                                                                                                                                                                                                                                        MD5:FB4FA71309850FA416A24BCC8DEC6161
                                                                                                                                                                                                                                        SHA1:DDA19E6FAEDEBBBDE95C1E96ED718CA337C856EF
                                                                                                                                                                                                                                        SHA-256:876D9609C4470F9771F350F3203E98E5C8340B600DDB0C473EDEC82A455D0C3C
                                                                                                                                                                                                                                        SHA-512:2A587CA32489EC98CEA6A9AF36B43E90757986898152E00AEFFD5F36D266818BB9DC98A35608440269EA728DCA19FA3A15BC6AFACCBADE62C12683E375364027
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:{"extensions":{"settings":{"dgiklkfkllikcanfonkcabmbdfmgleag":{"active_permissions":{"api":[],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13358324421491157","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13358324421491157","location":5,"manifest":{"content_capabilities":{"include_globs":["https://*excel.officeapps.live.com/*","https://*onenote.officeapps.live.com/*","https://*powerpoint.officeapps.live.com/*","https://*word-edit.officeapps.live.com/*","https://*excel.officeapps.live.com.mcas.ms/*","https://*onenote.officeapps.live.com.mcas.ms/*","https://*word-edit.officeapps.live.com.mcas.ms/*","https://*excel.partner.officewebapps.cn/*","https://*onenote.partner.officewebapps.cn/*","https://*powerpoint.partner.officewebapps.cn/*","https://*word-edit.partner.officewebapps.cn/*","https://*excel.gov.online.office365.us/*","

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Session Storage\000001.dbtmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:ASCII text
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16
                                                                                                                                                                                                                                        Entropy (8bit):3.2743974703476995
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:1sjgWIV//Uv:1qIFUv
                                                                                                                                                                                                                                        MD5:46295CAC801E5D4857D09837238A6394
                                                                                                                                                                                                                                        SHA1:44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
                                                                                                                                                                                                                                        SHA-256:0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
                                                                                                                                                                                                                                        SHA-512:8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MANIFEST-000001.

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Session Storage\000003.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                                                        Size (bytes):375
                                                                                                                                                                                                                                        Entropy (8bit):5.045487572656924
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:S85a4hlaDJFc19cCgR/VO/w9WuJFc19cL2WXAuWu5sLgIO:S+a4hUjlCUNOw93jlrQQ5sy
                                                                                                                                                                                                                                        MD5:481E1547BF238C88AEAFD835FD72DDE7
                                                                                                                                                                                                                                        SHA1:D595FA083360CD6018D0D1837981E0EAEEFBA16B
                                                                                                                                                                                                                                        SHA-256:155B46944903A9C734FD8AA9FB8E284EBBAB5C1D3E39E9876CEC51292396D83C
                                                                                                                                                                                                                                        SHA-512:36EC79566C5526B7CF90192C83421F800B2C90B8015B94CD32EED6B135E43350B11B02608B094918D5622A8C22A6244AF2F9557D2A5CAE89968C32965A9E7D98
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:*...#................version.1..namespace-.b..j................next-map-id.1.Knamespace-e6aad239_513a_49f0_9aa4_0f259efbb6a7-https://inside.bitcomet.com/.0.w5.a................next-map-id.2.Bnamespace-e6aad239_513a_49f0_9aa4_0f259efbb6a7-https://apphit.com/.1.?..m................next-map-id.3.Nnamespace-51330994_0ed3_42e4_ac2c_4e56232ae7e6-https://appassets.bitcomet.com/.2

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Session Storage\CURRENT (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:ASCII text
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16
                                                                                                                                                                                                                                        Entropy (8bit):3.2743974703476995
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:1sjgWIV//Uv:1qIFUv
                                                                                                                                                                                                                                        MD5:46295CAC801E5D4857D09837238A6394
                                                                                                                                                                                                                                        SHA1:44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
                                                                                                                                                                                                                                        SHA-256:0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
                                                                                                                                                                                                                                        SHA-512:8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MANIFEST-000001.

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Session Storage\LOG

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:ASCII text
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):275
                                                                                                                                                                                                                                        Entropy (8bit):5.148665219124819
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:IAU84M1N723NLdWQM72KLl6SLE+q2PN723NLdWQMxIFUv:RJ4saXILxLtvVaXHFUv
                                                                                                                                                                                                                                        MD5:48B4746979BBB747370AB46684F258E4
                                                                                                                                                                                                                                        SHA1:80290C0A8C531FD7A99ADFE6BC19858B93F9F264
                                                                                                                                                                                                                                        SHA-256:4F8796BF62403B13BCFC1ADE5E702CB1E8209E33820E23E3DC0F3284BC5FE4EE
                                                                                                                                                                                                                                        SHA-512:9DB3CFF6470C3642A1C1E2EAF11E93B0562B71A29D92DD399E6F7AC47EBD43F3E16D89126F5193139D999C7A93487795DAC1A9F31310FECC4387D5CAC3C41189
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:2024/04/23-07:40:24.562 1e44 Creating DB C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Session Storage since it was missing..2024/04/23-07:40:25.348 1e44 Reusing MANIFEST C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Session Storage/MANIFEST-000001.

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Session Storage\MANIFEST-000001

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:OpenPGP Secret Key
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):41
                                                                                                                                                                                                                                        Entropy (8bit):4.704993772857998
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:scoBAIxQRDKIVjn:scoBY7jn
                                                                                                                                                                                                                                        MD5:5AF87DFD673BA2115E2FCF5CFDB727AB
                                                                                                                                                                                                                                        SHA1:D5B5BBF396DC291274584EF71F444F420B6056F1
                                                                                                                                                                                                                                        SHA-256:F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
                                                                                                                                                                                                                                        SHA-512:DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.|.."....leveldb.BytewiseComparator......

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Site Characteristics Database\000001.dbtmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:ASCII text
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16
                                                                                                                                                                                                                                        Entropy (8bit):3.2743974703476995
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:1sjgWIV//Uv:1qIFUv
                                                                                                                                                                                                                                        MD5:46295CAC801E5D4857D09837238A6394
                                                                                                                                                                                                                                        SHA1:44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
                                                                                                                                                                                                                                        SHA-256:0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
                                                                                                                                                                                                                                        SHA-512:8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MANIFEST-000001.

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Site Characteristics Database\000003.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):40
                                                                                                                                                                                                                                        Entropy (8bit):3.473726825238924
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:41tt0diERGn:et084G
                                                                                                                                                                                                                                        MD5:148079685E25097536785F4536AF014B
                                                                                                                                                                                                                                        SHA1:C5FF5B1B69487A9DD4D244D11BBAFA91708C1A41
                                                                                                                                                                                                                                        SHA-256:F096BC366A931FBA656BDCD77B24AF15A5F29FC53281A727C79F82C608ECFAB8
                                                                                                                                                                                                                                        SHA-512:C2556034EA51ABFBC172EB62FF11F5AC45C317F84F39D4B9E3DDBD0190DA6EF7FA03FE63631B97AB806430442974A07F8E81B5F7DC52D9F2FCDC669ADCA8D91F
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.On.!................database_metadata.1

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Site Characteristics Database\CURRENT (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:ASCII text
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16
                                                                                                                                                                                                                                        Entropy (8bit):3.2743974703476995
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:1sjgWIV//Uv:1qIFUv
                                                                                                                                                                                                                                        MD5:46295CAC801E5D4857D09837238A6394
                                                                                                                                                                                                                                        SHA1:44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
                                                                                                                                                                                                                                        SHA-256:0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
                                                                                                                                                                                                                                        SHA-512:8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MANIFEST-000001.

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Site Characteristics Database\LOG

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:ASCII text
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):303
                                                                                                                                                                                                                                        Entropy (8bit):5.10861823052571
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:IWLzACRM1N723NLdUUh2gr52KLl6WLQ6Iq2PN723NLdUUh2ghZIFUv:NLsSsaXrhHJL1LQ6IvVaXrhHh2FUv
                                                                                                                                                                                                                                        MD5:8F749ED7D5E1B3F2AFD8087B1CD727E2
                                                                                                                                                                                                                                        SHA1:1FA2585C94FCC28BC18ADB92AC9F3D0ACEE80083
                                                                                                                                                                                                                                        SHA-256:32CE1C98AA61E9014500084113C14DAC514CE028643ED4F08D3BF96C2D55A62B
                                                                                                                                                                                                                                        SHA-512:BAC228E1E0E888BE69DAFA400B40E476D803545257332692C0A45BA3B5C9C1D1985E494B99AAB5C3889EE21B4634C610924AE5BF2048BFA8C6D072822922988E
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:2024/04/23-07:40:21.497 1ce4 Creating DB C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Site Characteristics Database since it was missing..2024/04/23-07:40:21.593 1ce4 Reusing MANIFEST C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Site Characteristics Database/MANIFEST-000001.

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Site Characteristics Database\MANIFEST-000001

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:OpenPGP Secret Key
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):41
                                                                                                                                                                                                                                        Entropy (8bit):4.704993772857998
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:scoBAIxQRDKIVjn:scoBY7jn
                                                                                                                                                                                                                                        MD5:5AF87DFD673BA2115E2FCF5CFDB727AB
                                                                                                                                                                                                                                        SHA1:D5B5BBF396DC291274584EF71F444F420B6056F1
                                                                                                                                                                                                                                        SHA-256:F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
                                                                                                                                                                                                                                        SHA-512:DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.|.."....leveldb.BytewiseComparator......

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Sync Data\LevelDB\000001.dbtmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:ASCII text
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16
                                                                                                                                                                                                                                        Entropy (8bit):3.2743974703476995
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:1sjgWIV//Uv:1qIFUv
                                                                                                                                                                                                                                        MD5:46295CAC801E5D4857D09837238A6394
                                                                                                                                                                                                                                        SHA1:44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
                                                                                                                                                                                                                                        SHA-256:0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
                                                                                                                                                                                                                                        SHA-512:8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MANIFEST-000001.

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Sync Data\LevelDB\000003.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):46
                                                                                                                                                                                                                                        Entropy (8bit):4.019797536844534
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:sLollttz6sjlGXU2tkn:qolXtWswXU2tkn
                                                                                                                                                                                                                                        MD5:90881C9C26F29FCA29815A08BA858544
                                                                                                                                                                                                                                        SHA1:06FEE974987B91D82C2839A4BB12991FA99E1BDD
                                                                                                                                                                                                                                        SHA-256:A2CA52E34B6138624AC2DD20349CDE28482143B837DB40A7F0FBDA023077C26A
                                                                                                                                                                                                                                        SHA-512:15F7F8197B4FC46C4C5C2570FB1F6DD73CB125F9EE53DFA67F5A0D944543C5347BDAB5CCE95E91DD6C948C9023E23C7F9D76CFF990E623178C92F8D49150A625
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...n'................_mts_schema_descriptor...

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Sync Data\LevelDB\CURRENT (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:ASCII text
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16
                                                                                                                                                                                                                                        Entropy (8bit):3.2743974703476995
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:1sjgWIV//Uv:1qIFUv
                                                                                                                                                                                                                                        MD5:46295CAC801E5D4857D09837238A6394
                                                                                                                                                                                                                                        SHA1:44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
                                                                                                                                                                                                                                        SHA-256:0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
                                                                                                                                                                                                                                        SHA-512:8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MANIFEST-000001.

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Sync Data\LevelDB\LOG

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:ASCII text
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):279
                                                                                                                                                                                                                                        Entropy (8bit):5.194855763350839
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:Ips1N723NLdgx2KLl6AXSsM+q2PN723NLdWIFUv:1aXgVL3XSt+vVaXPFUv
                                                                                                                                                                                                                                        MD5:E41592FCCB8BE37B911AF24DD493F083
                                                                                                                                                                                                                                        SHA1:A5E71D912883B5573DA3201A717355C11A3EF4D7
                                                                                                                                                                                                                                        SHA-256:9D893E5F959FB25CD2CAF56AE73AF6EBA95BA2CC53547C393C984AA3F14B7E88
                                                                                                                                                                                                                                        SHA-512:F15D79D03F45AFE25700AF53EE8FE2E3FC5461F81CB972E523780078B2D6CD4AF7CF40331D1C2CC5AEF7CF88AAC862B9DA79F9A9B334FDD2AEA0EC0373266592
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:2024/04/23-07:40:22.085 1cac Creating DB C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Sync Data\LevelDB since it was missing..2024/04/23-07:40:22.327 1cac Reusing MANIFEST C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Sync Data\LevelDB/MANIFEST-000001.

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Sync Data\LevelDB\MANIFEST-000001

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:OpenPGP Secret Key
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):41
                                                                                                                                                                                                                                        Entropy (8bit):4.704993772857998
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:scoBAIxQRDKIVjn:scoBY7jn
                                                                                                                                                                                                                                        MD5:5AF87DFD673BA2115E2FCF5CFDB727AB
                                                                                                                                                                                                                                        SHA1:D5B5BBF396DC291274584EF71F444F420B6056F1
                                                                                                                                                                                                                                        SHA-256:F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
                                                                                                                                                                                                                                        SHA-512:DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.|.."....leveldb.BytewiseComparator......

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Top Sites

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):0.3528485475628876
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:TLiN6CZhDu6MvDOF5yEHFxOUwa5qguYZ75fOSiPe2d:TLiwCZwE8I6Uwcco5fBtC
                                                                                                                                                                                                                                        MD5:F2B4FB2D384AA4E4D6F4AEB0BBA217DC
                                                                                                                                                                                                                                        SHA1:2CD70CFB3CE72D9B079170C360C1F563B6BF150E
                                                                                                                                                                                                                                        SHA-256:1ECC07CD1D383472DAD33D2A5766625009EA5EACBAEDE2417ADA1842654CBBC8
                                                                                                                                                                                                                                        SHA-512:48D03991660FA1598B3E002F5BC5F0F05E9696BCB2289240FA8CCBB2C030CDD23245D4ECC0C64DA1E7C54B092C3E60AE0427358F63087018BF0E6CEDC471DD34
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:SQLite format 3......@ ..........................................................................j..........g.....4....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Visited Links

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):131072
                                                                                                                                                                                                                                        Entropy (8bit):0.007787884987093801
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:ImtV+1g//xUhA4O/Mf1LD/lit6W//9Mb/X:IiV+GXShA4O+w9Xu
                                                                                                                                                                                                                                        MD5:AE4128472188882F376735A2E73FF352
                                                                                                                                                                                                                                        SHA1:C61C276191DC9B0007E91FD468634C1231834EE9
                                                                                                                                                                                                                                        SHA-256:FFCDF6F5AF99CB245E3ED4312ED17A088E7CC4EB623DC5FEA54F5C78DD4D7787
                                                                                                                                                                                                                                        SHA-512:35F305D13F2A53ABDF4A6254660A5F254F6A894973C37B503C978DF04B6FF45F1AA96E6CDD6FE5B93E1114121E4EA499D9EE287397547735040B354C95DD06C2
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:VLnk.....?......&.Q.H.n.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Web Data

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 87, cookie 0x36, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):178176
                                                                                                                                                                                                                                        Entropy (8bit):0.9328712687751187
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:R2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+c:R2qOB1nxCkvSAELyKOMq+c
                                                                                                                                                                                                                                        MD5:6B2D5ED0A90C99FD05D58FE8E924C886
                                                                                                                                                                                                                                        SHA1:34E1103E18E57E9D1769C89DFB2DAD84BFDD54B5
                                                                                                                                                                                                                                        SHA-256:2873E973AB5B91CD07405FD5D35E2A843A408AD53696372BEC794F4582368E49
                                                                                                                                                                                                                                        SHA-512:08373748A19C0381866090CB60929A4642BB624AF777240CB63B918180CEEE0C80DFAD852830FC6821AD6266DF1A865940A90D2089621F612617C5E92A4B29B2
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:SQLite format 3......@ .......W...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\Web Data-journal

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2568
                                                                                                                                                                                                                                        Entropy (8bit):0.06462527237038727
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:Il1lOtlf:I+
                                                                                                                                                                                                                                        MD5:10FD4AA38DBA85945FE70664019B3A89
                                                                                                                                                                                                                                        SHA1:5B258DCD3C46EC25EB27409DE4075C9440D7DF05
                                                                                                                                                                                                                                        SHA-256:7853CEF0685CDE2143CCE0BE7CC8FF380787262B78470FE2851E12AB99230755
                                                                                                                                                                                                                                        SHA-512:FC38BF6C37F5B1784220089D66E0B68A86AD0DF9335A38A3151D3B96056A03C27E3264F398BA753E508447B812606212D1054B58D09FEBF557A2405BBA76E41E
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...................W....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\b60dea26-7e1f-47e6-a83f-79e7f886c958.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):6250
                                                                                                                                                                                                                                        Entropy (8bit):4.833573565577122
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:stv/P5s13Ob9ING8zu85eh6Cb7/x+6MhmuecU61eeGhe+8Z52MR7K:st3Bs3Gku88bV+Fw6QBuDPhK
                                                                                                                                                                                                                                        MD5:C734436665E03616CF9E1327B3493460
                                                                                                                                                                                                                                        SHA1:B5F49A0F591A1451BD8FEE1DA2E98FD7DBEBAC81
                                                                                                                                                                                                                                        SHA-256:5475E75BA4C7EBA5B3854D213AEDFB39661AAF4150DD82FAA88083C180C40825
                                                                                                                                                                                                                                        SHA-512:D9274A7E94B5F86A15A9382F536ED210669127AAB57959B24A8F911B9D69FD966DAD7F5BC686CB9FB3027DF5AE8EA1C747831852219BCD478ED061E4C920A23F
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13358324422264540","alternate_error_pages":{"backup":true,"enabled":false},"autocomplete":{"retention_policy_last_version":117},"autofill":{"autostuff_enabled":false,"credit_card_enabled":false,"custom_data_enabled":false,"custom_data_fill_enabled":false,"custom_data_identify_info_from_form_enabled":false,"custom_data_save_enabled":false},"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"browser_content_container_height":184,"browser_content_container_width":162,"browser_content_container_x":0,"browser_content_container_y":0,"countryid_at_install":17224,"credentials_enable_service":false,"dips_timer_last_update":"13358324422059613","domain_diversity":{"last_reporting_timestamp":"13358324422263770"},"dual_user":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\c06ad652-876f-44d2-9026-8599e6548cb2.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):6148
                                                                                                                                                                                                                                        Entropy (8bit):4.829737702252872
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:stv/P5s13Ob9ING8zu85eh6Cb7/x+6MhmuecU61eeGhe+8MC2MR7K:st3Bs3Gku88bV+Fw6QBu3PhK
                                                                                                                                                                                                                                        MD5:C718F5D0913A8D21FEC87F82D7ABA4BE
                                                                                                                                                                                                                                        SHA1:EA40B931C5307F26141D00E0C3A238812F4557B4
                                                                                                                                                                                                                                        SHA-256:6E576130DBA2C95DE84B9BE8D4464BFFFB092F9AD5F2CA881B1478AE4A0B67DC
                                                                                                                                                                                                                                        SHA-512:476451029F7B1E011060A72F3A6B3B6A39F64E4C9601354C7BF775DC865CB3E037C37090A8566C041D8450C10388E63431EC4943898FF711917160D3BA234DC8
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13358324422264540","alternate_error_pages":{"backup":true,"enabled":false},"autocomplete":{"retention_policy_last_version":117},"autofill":{"autostuff_enabled":false,"credit_card_enabled":false,"custom_data_enabled":false,"custom_data_fill_enabled":false,"custom_data_identify_info_from_form_enabled":false,"custom_data_save_enabled":false},"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"browser_content_container_height":184,"browser_content_container_width":162,"browser_content_container_x":0,"browser_content_container_y":0,"countryid_at_install":17224,"credentials_enable_service":false,"dips_timer_last_update":"13358324422059613","domain_diversity":{"last_reporting_timestamp":"13358324422263770"},"dual_user":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\e39f1b7d-1d3a-4aa7-a3cf-558e756cea2e.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):5921
                                                                                                                                                                                                                                        Entropy (8bit):4.812062699996183
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:stv/h5s13Ob9ING8zwd85eh6Cb7/x+6MhmuecU61eAe+d2MR7K:st33s3GkW88bV+Fw6QArPhK
                                                                                                                                                                                                                                        MD5:05636BBD7F605888C776B3CB50B4EC1E
                                                                                                                                                                                                                                        SHA1:50839EDF903215E0DC565862F1DDC2E28966018D
                                                                                                                                                                                                                                        SHA-256:90DDA2EC557E526F78F8447FF36CF2463B73235D29FFF7D98291424B3ADC0E82
                                                                                                                                                                                                                                        SHA-512:7ABEF95973E6950D5FA8432345DE4C5384BD908D77758989A87A497E72DA2D8F41AE1BC3EA0782047DA3D7C543619E6C6FAABEB554F22D4E782D24E4F756FAC8
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13358324422264540","alternate_error_pages":{"backup":true,"enabled":false},"autocomplete":{"retention_policy_last_version":117},"autofill":{"autostuff_enabled":false,"credit_card_enabled":false,"custom_data_enabled":false,"custom_data_fill_enabled":false,"custom_data_identify_info_from_form_enabled":false,"custom_data_save_enabled":false},"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"browser_content_container_height":140,"browser_content_container_width":407,"browser_content_container_x":0,"browser_content_container_y":0,"countryid_at_install":17224,"credentials_enable_service":false,"dips_timer_last_update":"13358324422059613","domain_diversity":{"last_reporting_timestamp":"13358324422263770"},"dual_user":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\f49ab0f0-7685-476e-9628-33049a83e320.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):5970
                                                                                                                                                                                                                                        Entropy (8bit):4.81175843662132
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:stv/P5s13Ob9ING8zu85eh6Cb7/x+6MhmuecU61eAe+d2MR7K:st3Bs3Gku88bV+Fw6QArPhK
                                                                                                                                                                                                                                        MD5:ABD917CBA52F5D03ED03949A7EFF20D3
                                                                                                                                                                                                                                        SHA1:B71C1964EC537FE6257829807E53A9A37532A856
                                                                                                                                                                                                                                        SHA-256:211D9533562E1CB38938A1101D428C7BAE7587A67497ABC2F92A26A7AE57337A
                                                                                                                                                                                                                                        SHA-512:57A4D3ED3E4B153AABF1AA1FA097D8C3AE5FB4F5E7B74EDAFEFA1B06AEE7B39495C775BD995D0F86BCF51DC1A3F0BA25B60216B234A71EC72B99A420A0D3BB6B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13358324422264540","alternate_error_pages":{"backup":true,"enabled":false},"autocomplete":{"retention_policy_last_version":117},"autofill":{"autostuff_enabled":false,"credit_card_enabled":false,"custom_data_enabled":false,"custom_data_fill_enabled":false,"custom_data_identify_info_from_form_enabled":false,"custom_data_save_enabled":false},"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"browser_content_container_height":184,"browser_content_container_width":162,"browser_content_container_x":0,"browser_content_container_y":0,"countryid_at_install":17224,"credentials_enable_service":false,"dips_timer_last_update":"13358324422059613","domain_diversity":{"last_reporting_timestamp":"13358324422263770"},"dual_user":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\heavy_ad_intervention_opt_out.db

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 2, database pages 4, cookie 0x2, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16384
                                                                                                                                                                                                                                        Entropy (8bit):0.35226517389931394
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:TLC+waBg9LBgVDBgQjiZBgKuFtuQkMbmgcVAzO5kMCgGUg5OR:TLPdBgtBgJBgQjiZS53uQFE27MCgGZsR
                                                                                                                                                                                                                                        MD5:D2CCDC36225684AAE8FA563AFEDB14E7
                                                                                                                                                                                                                                        SHA1:3759649035F23004A4C30A14C5F0B54191BEBF80
                                                                                                                                                                                                                                        SHA-256:080AEE864047C67CB1586A5BA5EDA007AFD18ECC2B702638287E386F159D7AEE
                                                                                                                                                                                                                                        SHA-512:1A915AF643D688CA68AEDC1FF26C407D960D18DFDE838B417C437D7ADAC7B91C906E782DCC414784E64287915BD1DE5BB6A282E59AA9FEB8C384B4D4BC5F70EC
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:SQLite format 3......@ ..........................................................................j.......Q......Q......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\shared_proto_db\000001.dbtmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:ASCII text
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16
                                                                                                                                                                                                                                        Entropy (8bit):3.2743974703476995
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:1sjgWIV//Uv:1qIFUv
                                                                                                                                                                                                                                        MD5:46295CAC801E5D4857D09837238A6394
                                                                                                                                                                                                                                        SHA1:44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
                                                                                                                                                                                                                                        SHA-256:0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
                                                                                                                                                                                                                                        SHA-512:8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MANIFEST-000001.

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\shared_proto_db\000003.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):195
                                                                                                                                                                                                                                        Entropy (8bit):2.7998631831187235
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:VVXntjQPEnjQvxljljljljljljl:/XntM+4ljljljljljljl
                                                                                                                                                                                                                                        MD5:00C0DEFAC69CFE6E18C6FD4D684D6625
                                                                                                                                                                                                                                        SHA1:F80E1AB029E1116EE2FE85B2ECBF0959CCE884A7
                                                                                                                                                                                                                                        SHA-256:1FCAFCF037F8CE32A6EB94539F4A7D67FC51FE2BD8EDBD95C1D0322841EEC8A2
                                                                                                                                                                                                                                        SHA-512:C9411AEDDD3937D778BFE37FD489409E49304EBF3D3E7D686BDE4EE9C71E23A57224B622902948AD4BB422FFF3FB9386D02F956807FFF0185E9EF99FA2E157CF
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:A..r.................20_1_1...1.,U.................20_1_1...1..&f.................&f.................&f.................&f.................&f.................&f.................&f...............

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\shared_proto_db\CURRENT (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:ASCII text
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16
                                                                                                                                                                                                                                        Entropy (8bit):3.2743974703476995
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:1sjgWIV//Uv:1qIFUv
                                                                                                                                                                                                                                        MD5:46295CAC801E5D4857D09837238A6394
                                                                                                                                                                                                                                        SHA1:44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
                                                                                                                                                                                                                                        SHA-256:0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
                                                                                                                                                                                                                                        SHA-512:8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MANIFEST-000001.

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\shared_proto_db\LOG

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:ASCII text
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):275
                                                                                                                                                                                                                                        Entropy (8bit):5.246662627792883
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:IK4hRM1N723NLd4rl2KLl6ULXOq2PN723NLd4rK+IFUv:asaXqLivVaX53FUv
                                                                                                                                                                                                                                        MD5:E3DD199A146A41AC8B3C30E129C6B8C9
                                                                                                                                                                                                                                        SHA1:9ACDEDAC6A4519140CADA937C483B85597CE7B9A
                                                                                                                                                                                                                                        SHA-256:01AACFFAEF41CE3F322AE5BB655880C745FC85FB8E7C3F488738C1D5211CDE1A
                                                                                                                                                                                                                                        SHA-512:62F4BD5CC21E1C559929A2CDB84A0DBDE7E28C676BEEBFE3B18D120FF1A099535C13FBD71843DBF53E375E0415FD420C79D96937A268090C084C1929DF192046
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:2024/04/23-07:40:22.914 1ce4 Creating DB C:\Users\user\AppData\Local\BitComet\EBWebView\Default\shared_proto_db since it was missing..2024/04/23-07:40:23.009 1ce4 Reusing MANIFEST C:\Users\user\AppData\Local\BitComet\EBWebView\Default\shared_proto_db/MANIFEST-000001.

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\shared_proto_db\MANIFEST-000001

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:OpenPGP Secret Key
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):41
                                                                                                                                                                                                                                        Entropy (8bit):4.704993772857998
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:scoBAIxQRDKIVjn:scoBY7jn
                                                                                                                                                                                                                                        MD5:5AF87DFD673BA2115E2FCF5CFDB727AB
                                                                                                                                                                                                                                        SHA1:D5B5BBF396DC291274584EF71F444F420B6056F1
                                                                                                                                                                                                                                        SHA-256:F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
                                                                                                                                                                                                                                        SHA-512:DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.|.."....leveldb.BytewiseComparator......

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\shared_proto_db\metadata\000001.dbtmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:ASCII text
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16
                                                                                                                                                                                                                                        Entropy (8bit):3.2743974703476995
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:1sjgWIV//Uv:1qIFUv
                                                                                                                                                                                                                                        MD5:46295CAC801E5D4857D09837238A6394
                                                                                                                                                                                                                                        SHA1:44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
                                                                                                                                                                                                                                        SHA-256:0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
                                                                                                                                                                                                                                        SHA-512:8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MANIFEST-000001.

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\shared_proto_db\metadata\000003.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):443
                                                                                                                                                                                                                                        Entropy (8bit):3.8632842697631133
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:G0Xtqcsqc9Ct3mxKm9HTl1mL//3mQtmF2lHDNm8L/3mtyWmF2lpgll1mF2lA3m8e:G0nYUteza//z3p/F+iPAHlT0
                                                                                                                                                                                                                                        MD5:1DE951E901ED35E532EEBE62E25D7B68
                                                                                                                                                                                                                                        SHA1:31CC63C8C6AD38F1AD9EC5B75391E5E642D5EB73
                                                                                                                                                                                                                                        SHA-256:19A8D45F22049CA45CCCF3CE04A1C3BA194B7CE6DB6F94FBDEBC95D5A3F55B23
                                                                                                                                                                                                                                        SHA-512:BD76B10AE75E2F5C458B53627D4B85E00BB275CE2FD622EEB60E16E7B2C68AF06105B9BA7EDD2F948821A07FCBB1FD64C690EF77E789255375C3F1E44A865CA9
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.h.6.................__global... .t...................__global... .9..b.................33_..........................21_.....n[.=.................33_.....vuNX.................21_.....<...................20_.....,.1..................19_.....QL.s.................18_......Q...................20_.......w<.................20_.......ln.................19_......Y...................18_.....%.{..................9_.....f..U.................9_.....

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\shared_proto_db\metadata\CURRENT (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:ASCII text
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16
                                                                                                                                                                                                                                        Entropy (8bit):3.2743974703476995
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:1sjgWIV//Uv:1qIFUv
                                                                                                                                                                                                                                        MD5:46295CAC801E5D4857D09837238A6394
                                                                                                                                                                                                                                        SHA1:44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
                                                                                                                                                                                                                                        SHA-256:0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
                                                                                                                                                                                                                                        SHA-512:8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MANIFEST-000001.

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\shared_proto_db\metadata\LOG

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:ASCII text
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):293
                                                                                                                                                                                                                                        Entropy (8bit):5.200308114952286
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:IAXU6+RM1N723NLd4rzs52KLl6GVVIq2PN723NLd4rzAdIFUv:fXVusaX59LTVIvVaXuFUv
                                                                                                                                                                                                                                        MD5:D5A8D7D2D8509E3BF038ABA91B2D74BB
                                                                                                                                                                                                                                        SHA1:48B7CFCC822D6B78118481CCCD409D479CEEAE30
                                                                                                                                                                                                                                        SHA-256:246750F1E016848B4BD9A672D98BC8EA014DA902A4E1B5BB5348391ABF0CBDAE
                                                                                                                                                                                                                                        SHA-512:5E96BE2F206D66FF3DD263FDDB19D5BD2747D8988589CB3DA54CDB55903641C56E382ACB17198052226E2B105409A674EB8A61B374F53A2A4AA58535DA37587C
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:2024/04/23-07:40:22.321 1ce4 Creating DB C:\Users\user\AppData\Local\BitComet\EBWebView\Default\shared_proto_db\metadata since it was missing..2024/04/23-07:40:22.501 1ce4 Reusing MANIFEST C:\Users\user\AppData\Local\BitComet\EBWebView\Default\shared_proto_db\metadata/MANIFEST-000001.

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Default\shared_proto_db\metadata\MANIFEST-000001

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:OpenPGP Secret Key
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):41
                                                                                                                                                                                                                                        Entropy (8bit):4.704993772857998
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:scoBAIxQRDKIVjn:scoBY7jn
                                                                                                                                                                                                                                        MD5:5AF87DFD673BA2115E2FCF5CFDB727AB
                                                                                                                                                                                                                                        SHA1:D5B5BBF396DC291274584EF71F444F420B6056F1
                                                                                                                                                                                                                                        SHA-256:F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
                                                                                                                                                                                                                                        SHA-512:DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.|.."....leveldb.BytewiseComparator......

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\GrShaderCache\data_0

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):8192
                                                                                                                                                                                                                                        Entropy (8bit):0.01057775872642915
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:MsFl:/F
                                                                                                                                                                                                                                        MD5:CF89D16BB9107C631DAABF0C0EE58EFB
                                                                                                                                                                                                                                        SHA1:3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
                                                                                                                                                                                                                                        SHA-256:D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
                                                                                                                                                                                                                                        SHA-512:8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\GrShaderCache\data_1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):270336
                                                                                                                                                                                                                                        Entropy (8bit):8.280239615765425E-4
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:MsEllllkEthXllkl2:/M/xT02
                                                                                                                                                                                                                                        MD5:D0D388F3865D0523E451D6BA0BE34CC4
                                                                                                                                                                                                                                        SHA1:8571C6A52AACC2747C048E3419E5657B74612995
                                                                                                                                                                                                                                        SHA-256:902F30C1FB0597D0734BC34B979EC5D131F8F39A4B71B338083821216EC8D61B
                                                                                                                                                                                                                                        SHA-512:376011D00DE659EB6082A74E862CFAC97A9BB508E0B740761505142E2D24EC1C30AA61EFBC1C0DD08FF0F34734444DE7F77DD90A6CA42B48A4C7FAD5F0BDDD17
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\GrShaderCache\data_2

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):8192
                                                                                                                                                                                                                                        Entropy (8bit):0.011852361981932763
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:MsHlDll:/H
                                                                                                                                                                                                                                        MD5:0962291D6D367570BEE5454721C17E11
                                                                                                                                                                                                                                        SHA1:59D10A893EF321A706A9255176761366115BEDCB
                                                                                                                                                                                                                                        SHA-256:EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
                                                                                                                                                                                                                                        SHA-512:F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\GrShaderCache\data_3

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):8192
                                                                                                                                                                                                                                        Entropy (8bit):0.012340643231932763
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:MsGl3ll:/y
                                                                                                                                                                                                                                        MD5:41876349CB12D6DB992F1309F22DF3F0
                                                                                                                                                                                                                                        SHA1:5CF26B3420FC0302CD0A71E8D029739B8765BE27
                                                                                                                                                                                                                                        SHA-256:E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
                                                                                                                                                                                                                                        SHA-512:E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\GrShaderCache\index

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):262512
                                                                                                                                                                                                                                        Entropy (8bit):9.47693366977411E-4
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:LsNlp:Ls3p
                                                                                                                                                                                                                                        MD5:F52D94790E6134B66ACABCA2A2E5EC44
                                                                                                                                                                                                                                        SHA1:74C4CBC11980DB5E36C0D947BE96CBFE27C5B7BB
                                                                                                                                                                                                                                        SHA-256:BC6609B116D4E7B83610F76E58B677D19225ECA01757EFC435132D69A5A40D59
                                                                                                                                                                                                                                        SHA-512:88DA3FBEB306D27D01E0C5018B2F469CC4004EF042135BCA8B7520E9564C15F0958CD56FF9453B8431428E7A498FA01DD9A5BFA1907E1AC903E969B47C0A7E54
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...........................................FSu/.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\GraphiteDawnCache\data_0

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):8192
                                                                                                                                                                                                                                        Entropy (8bit):0.01057775872642915
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:MsFl:/F
                                                                                                                                                                                                                                        MD5:CF89D16BB9107C631DAABF0C0EE58EFB
                                                                                                                                                                                                                                        SHA1:3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
                                                                                                                                                                                                                                        SHA-256:D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
                                                                                                                                                                                                                                        SHA-512:8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\GraphiteDawnCache\data_1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):270336
                                                                                                                                                                                                                                        Entropy (8bit):8.280239615765425E-4
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:MsEllllkEthXllkl2:/M/xT02
                                                                                                                                                                                                                                        MD5:D0D388F3865D0523E451D6BA0BE34CC4
                                                                                                                                                                                                                                        SHA1:8571C6A52AACC2747C048E3419E5657B74612995
                                                                                                                                                                                                                                        SHA-256:902F30C1FB0597D0734BC34B979EC5D131F8F39A4B71B338083821216EC8D61B
                                                                                                                                                                                                                                        SHA-512:376011D00DE659EB6082A74E862CFAC97A9BB508E0B740761505142E2D24EC1C30AA61EFBC1C0DD08FF0F34734444DE7F77DD90A6CA42B48A4C7FAD5F0BDDD17
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\GraphiteDawnCache\data_2

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):8192
                                                                                                                                                                                                                                        Entropy (8bit):0.011852361981932763
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:MsHlDll:/H
                                                                                                                                                                                                                                        MD5:0962291D6D367570BEE5454721C17E11
                                                                                                                                                                                                                                        SHA1:59D10A893EF321A706A9255176761366115BEDCB
                                                                                                                                                                                                                                        SHA-256:EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
                                                                                                                                                                                                                                        SHA-512:F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\GraphiteDawnCache\data_3

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):8192
                                                                                                                                                                                                                                        Entropy (8bit):0.012340643231932763
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:MsGl3ll:/y
                                                                                                                                                                                                                                        MD5:41876349CB12D6DB992F1309F22DF3F0
                                                                                                                                                                                                                                        SHA1:5CF26B3420FC0302CD0A71E8D029739B8765BE27
                                                                                                                                                                                                                                        SHA-256:E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
                                                                                                                                                                                                                                        SHA-512:E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\GraphiteDawnCache\index

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):262512
                                                                                                                                                                                                                                        Entropy (8bit):9.553120663130604E-4
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:LsNlVval:Ls3Fu
                                                                                                                                                                                                                                        MD5:3E3124163E59215609D841396BBF34F5
                                                                                                                                                                                                                                        SHA1:F211BA1943E2404956121BAD05382F647485970A
                                                                                                                                                                                                                                        SHA-256:B15AB99E2940A4C5A8A4379FA3D7E18F7A758B4A2BB5721A12693BC1818A064A
                                                                                                                                                                                                                                        SHA-512:C4A08606391D9655B9C13F98CBB2282FE67012C596F4E0123352609C5CE846B6EC9D184A7C7291083A3D800BA4735914CAC5361F44E1855B6E9157EDD7A76DBB
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................s..FSu/.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Last Version

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):13
                                                                                                                                                                                                                                        Entropy (8bit):2.7192945256669794
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:NYLFRQI:ap2I
                                                                                                                                                                                                                                        MD5:BF16C04B916ACE92DB941EBB1AF3CB18
                                                                                                                                                                                                                                        SHA1:FA8DAEAE881F91F61EE0EE21BE5156255429AA8A
                                                                                                                                                                                                                                        SHA-256:7FC23C9028A316EC0AC25B09B5B0D61A1D21E58DFCF84C2A5F5B529129729098
                                                                                                                                                                                                                                        SHA-512:F0B7DF5517596B38D57C57B5777E008D6229AB5B1841BBE74602C77EEA2252BF644B8650C7642BD466213F62E15CC7AB5A95B28E26D3907260ED1B96A74B65FB
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:117.0.2045.47

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Local State (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):953
                                                                                                                                                                                                                                        Entropy (8bit):5.720179303579692
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:YKWJu5rrtSU+huPXtWNBLaeCiWOaKbvXXoQQRCYfYg:Yqf0U+huPXoNBLZ3aMvnNB0
                                                                                                                                                                                                                                        MD5:44643104611B727DD70E748765AD3591
                                                                                                                                                                                                                                        SHA1:2AF521118AF866A79C3C9CEFD56B3EDE93B41276
                                                                                                                                                                                                                                        SHA-256:71B63AABC62FE5663D7C819D95D3C6244C9888C523B4407864F860242B8FEF8C
                                                                                                                                                                                                                                        SHA-512:1F4A5DFEEC91EAC94F3B7849F415CB316FE8DC8C0C8AF4B72C8EEA72FA8DCEB218D707298168CFF198822B94B2341F7D8610AC4935F2D2EAB603139FF34A7D12
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:{"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAACh951LgvM2Qb9CwsFGCkzdEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAABD0qrA/1M2p05las89SFLH91gcRTRuy3aQSBO5tqZSvgAAAAAOgAAAAAIAACAAAABvmV3+MdX6Tqq0Bne9+d2sllxMMMvq21CapH5IOt/bdDAAAAB6o6CQC/aMQy3isabs6KYzngVUBU9TDWo8ft2NTWf9YP+eJ3+yMcqsQR1zHN+zbQBAAAAAaITLD8g/baji/7MOyJleUSl4xE+6rkfDHA0FqCbDO1yWRn2SHa0V39TZ3hxwvYWQmMKGSyWu9aGUE02N+LtCUQ=="},"uninstall_metrics":{"installation_date2":"1713850820"},"user_experience_metrics":{"client_id2":"{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}C:\\Users\\user0s:92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A","diagnostics":{"last_data_collection_level_on_launch":1},"low_entropy_source3":3565,"pseudo_low_entropy_source":1920,"reset_client_id_deterministic":true,"stability":{"browser_last_live_timestamp":"13358324420587612","stats_buildtime":"1695934310","stats_version":"117.0.2045.47-64","system_crash_count":0}}}

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Local State~RF46ab20.TMP (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):953
                                                                                                                                                                                                                                        Entropy (8bit):5.720179303579692
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:YKWJu5rrtSU+huPXtWNBLaeCiWOaKbvXXoQQRCYfYg:Yqf0U+huPXoNBLZ3aMvnNB0
                                                                                                                                                                                                                                        MD5:44643104611B727DD70E748765AD3591
                                                                                                                                                                                                                                        SHA1:2AF521118AF866A79C3C9CEFD56B3EDE93B41276
                                                                                                                                                                                                                                        SHA-256:71B63AABC62FE5663D7C819D95D3C6244C9888C523B4407864F860242B8FEF8C
                                                                                                                                                                                                                                        SHA-512:1F4A5DFEEC91EAC94F3B7849F415CB316FE8DC8C0C8AF4B72C8EEA72FA8DCEB218D707298168CFF198822B94B2341F7D8610AC4935F2D2EAB603139FF34A7D12
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:{"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAACh951LgvM2Qb9CwsFGCkzdEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAABD0qrA/1M2p05las89SFLH91gcRTRuy3aQSBO5tqZSvgAAAAAOgAAAAAIAACAAAABvmV3+MdX6Tqq0Bne9+d2sllxMMMvq21CapH5IOt/bdDAAAAB6o6CQC/aMQy3isabs6KYzngVUBU9TDWo8ft2NTWf9YP+eJ3+yMcqsQR1zHN+zbQBAAAAAaITLD8g/baji/7MOyJleUSl4xE+6rkfDHA0FqCbDO1yWRn2SHa0V39TZ3hxwvYWQmMKGSyWu9aGUE02N+LtCUQ=="},"uninstall_metrics":{"installation_date2":"1713850820"},"user_experience_metrics":{"client_id2":"{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}C:\\Users\\user0s:92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A","diagnostics":{"last_data_collection_level_on_launch":1},"low_entropy_source3":3565,"pseudo_low_entropy_source":1920,"reset_client_id_deterministic":true,"stability":{"browser_last_live_timestamp":"13358324420587612","stats_buildtime":"1695934310","stats_version":"117.0.2045.47-64","system_crash_count":0}}}

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Local State~RF46ab5e.TMP (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):953
                                                                                                                                                                                                                                        Entropy (8bit):5.720179303579692
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:YKWJu5rrtSU+huPXtWNBLaeCiWOaKbvXXoQQRCYfYg:Yqf0U+huPXoNBLZ3aMvnNB0
                                                                                                                                                                                                                                        MD5:44643104611B727DD70E748765AD3591
                                                                                                                                                                                                                                        SHA1:2AF521118AF866A79C3C9CEFD56B3EDE93B41276
                                                                                                                                                                                                                                        SHA-256:71B63AABC62FE5663D7C819D95D3C6244C9888C523B4407864F860242B8FEF8C
                                                                                                                                                                                                                                        SHA-512:1F4A5DFEEC91EAC94F3B7849F415CB316FE8DC8C0C8AF4B72C8EEA72FA8DCEB218D707298168CFF198822B94B2341F7D8610AC4935F2D2EAB603139FF34A7D12
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:{"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAACh951LgvM2Qb9CwsFGCkzdEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAABD0qrA/1M2p05las89SFLH91gcRTRuy3aQSBO5tqZSvgAAAAAOgAAAAAIAACAAAABvmV3+MdX6Tqq0Bne9+d2sllxMMMvq21CapH5IOt/bdDAAAAB6o6CQC/aMQy3isabs6KYzngVUBU9TDWo8ft2NTWf9YP+eJ3+yMcqsQR1zHN+zbQBAAAAAaITLD8g/baji/7MOyJleUSl4xE+6rkfDHA0FqCbDO1yWRn2SHa0V39TZ3hxwvYWQmMKGSyWu9aGUE02N+LtCUQ=="},"uninstall_metrics":{"installation_date2":"1713850820"},"user_experience_metrics":{"client_id2":"{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}C:\\Users\\user0s:92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A","diagnostics":{"last_data_collection_level_on_launch":1},"low_entropy_source3":3565,"pseudo_low_entropy_source":1920,"reset_client_id_deterministic":true,"stability":{"browser_last_live_timestamp":"13358324420587612","stats_buildtime":"1695934310","stats_version":"117.0.2045.47-64","system_crash_count":0}}}

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Local State~RF46d2ad.TMP (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):953
                                                                                                                                                                                                                                        Entropy (8bit):5.720179303579692
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:YKWJu5rrtSU+huPXtWNBLaeCiWOaKbvXXoQQRCYfYg:Yqf0U+huPXoNBLZ3aMvnNB0
                                                                                                                                                                                                                                        MD5:44643104611B727DD70E748765AD3591
                                                                                                                                                                                                                                        SHA1:2AF521118AF866A79C3C9CEFD56B3EDE93B41276
                                                                                                                                                                                                                                        SHA-256:71B63AABC62FE5663D7C819D95D3C6244C9888C523B4407864F860242B8FEF8C
                                                                                                                                                                                                                                        SHA-512:1F4A5DFEEC91EAC94F3B7849F415CB316FE8DC8C0C8AF4B72C8EEA72FA8DCEB218D707298168CFF198822B94B2341F7D8610AC4935F2D2EAB603139FF34A7D12
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:{"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAACh951LgvM2Qb9CwsFGCkzdEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAABD0qrA/1M2p05las89SFLH91gcRTRuy3aQSBO5tqZSvgAAAAAOgAAAAAIAACAAAABvmV3+MdX6Tqq0Bne9+d2sllxMMMvq21CapH5IOt/bdDAAAAB6o6CQC/aMQy3isabs6KYzngVUBU9TDWo8ft2NTWf9YP+eJ3+yMcqsQR1zHN+zbQBAAAAAaITLD8g/baji/7MOyJleUSl4xE+6rkfDHA0FqCbDO1yWRn2SHa0V39TZ3hxwvYWQmMKGSyWu9aGUE02N+LtCUQ=="},"uninstall_metrics":{"installation_date2":"1713850820"},"user_experience_metrics":{"client_id2":"{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}C:\\Users\\user0s:92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A","diagnostics":{"last_data_collection_level_on_launch":1},"low_entropy_source3":3565,"pseudo_low_entropy_source":1920,"reset_client_id_deterministic":true,"stability":{"browser_last_live_timestamp":"13358324420587612","stats_buildtime":"1695934310","stats_version":"117.0.2045.47-64","system_crash_count":0}}}

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Local State~RF47ba5d.TMP (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):953
                                                                                                                                                                                                                                        Entropy (8bit):5.720179303579692
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:YKWJu5rrtSU+huPXtWNBLaeCiWOaKbvXXoQQRCYfYg:Yqf0U+huPXoNBLZ3aMvnNB0
                                                                                                                                                                                                                                        MD5:44643104611B727DD70E748765AD3591
                                                                                                                                                                                                                                        SHA1:2AF521118AF866A79C3C9CEFD56B3EDE93B41276
                                                                                                                                                                                                                                        SHA-256:71B63AABC62FE5663D7C819D95D3C6244C9888C523B4407864F860242B8FEF8C
                                                                                                                                                                                                                                        SHA-512:1F4A5DFEEC91EAC94F3B7849F415CB316FE8DC8C0C8AF4B72C8EEA72FA8DCEB218D707298168CFF198822B94B2341F7D8610AC4935F2D2EAB603139FF34A7D12
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:{"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAACh951LgvM2Qb9CwsFGCkzdEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAABD0qrA/1M2p05las89SFLH91gcRTRuy3aQSBO5tqZSvgAAAAAOgAAAAAIAACAAAABvmV3+MdX6Tqq0Bne9+d2sllxMMMvq21CapH5IOt/bdDAAAAB6o6CQC/aMQy3isabs6KYzngVUBU9TDWo8ft2NTWf9YP+eJ3+yMcqsQR1zHN+zbQBAAAAAaITLD8g/baji/7MOyJleUSl4xE+6rkfDHA0FqCbDO1yWRn2SHa0V39TZ3hxwvYWQmMKGSyWu9aGUE02N+LtCUQ=="},"uninstall_metrics":{"installation_date2":"1713850820"},"user_experience_metrics":{"client_id2":"{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}C:\\Users\\user0s:92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A","diagnostics":{"last_data_collection_level_on_launch":1},"low_entropy_source3":3565,"pseudo_low_entropy_source":1920,"reset_client_id_deterministic":true,"stability":{"browser_last_live_timestamp":"13358324420587612","stats_buildtime":"1695934310","stats_version":"117.0.2045.47-64","system_crash_count":0}}}

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Local State~RF482925.TMP (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):953
                                                                                                                                                                                                                                        Entropy (8bit):5.720179303579692
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:YKWJu5rrtSU+huPXtWNBLaeCiWOaKbvXXoQQRCYfYg:Yqf0U+huPXoNBLZ3aMvnNB0
                                                                                                                                                                                                                                        MD5:44643104611B727DD70E748765AD3591
                                                                                                                                                                                                                                        SHA1:2AF521118AF866A79C3C9CEFD56B3EDE93B41276
                                                                                                                                                                                                                                        SHA-256:71B63AABC62FE5663D7C819D95D3C6244C9888C523B4407864F860242B8FEF8C
                                                                                                                                                                                                                                        SHA-512:1F4A5DFEEC91EAC94F3B7849F415CB316FE8DC8C0C8AF4B72C8EEA72FA8DCEB218D707298168CFF198822B94B2341F7D8610AC4935F2D2EAB603139FF34A7D12
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:{"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAACh951LgvM2Qb9CwsFGCkzdEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAABD0qrA/1M2p05las89SFLH91gcRTRuy3aQSBO5tqZSvgAAAAAOgAAAAAIAACAAAABvmV3+MdX6Tqq0Bne9+d2sllxMMMvq21CapH5IOt/bdDAAAAB6o6CQC/aMQy3isabs6KYzngVUBU9TDWo8ft2NTWf9YP+eJ3+yMcqsQR1zHN+zbQBAAAAAaITLD8g/baji/7MOyJleUSl4xE+6rkfDHA0FqCbDO1yWRn2SHa0V39TZ3hxwvYWQmMKGSyWu9aGUE02N+LtCUQ=="},"uninstall_metrics":{"installation_date2":"1713850820"},"user_experience_metrics":{"client_id2":"{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}C:\\Users\\user0s:92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A","diagnostics":{"last_data_collection_level_on_launch":1},"low_entropy_source3":3565,"pseudo_low_entropy_source":1920,"reset_client_id_deterministic":true,"stability":{"browser_last_live_timestamp":"13358324420587612","stats_buildtime":"1695934310","stats_version":"117.0.2045.47-64","system_crash_count":0}}}

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\ShaderCache\data_0

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):8192
                                                                                                                                                                                                                                        Entropy (8bit):0.01057775872642915
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:MsFl:/F
                                                                                                                                                                                                                                        MD5:CF89D16BB9107C631DAABF0C0EE58EFB
                                                                                                                                                                                                                                        SHA1:3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
                                                                                                                                                                                                                                        SHA-256:D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
                                                                                                                                                                                                                                        SHA-512:8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\ShaderCache\data_1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):270336
                                                                                                                                                                                                                                        Entropy (8bit):8.280239615765425E-4
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:MsEllllkEthXllkl2:/M/xT02
                                                                                                                                                                                                                                        MD5:D0D388F3865D0523E451D6BA0BE34CC4
                                                                                                                                                                                                                                        SHA1:8571C6A52AACC2747C048E3419E5657B74612995
                                                                                                                                                                                                                                        SHA-256:902F30C1FB0597D0734BC34B979EC5D131F8F39A4B71B338083821216EC8D61B
                                                                                                                                                                                                                                        SHA-512:376011D00DE659EB6082A74E862CFAC97A9BB508E0B740761505142E2D24EC1C30AA61EFBC1C0DD08FF0F34734444DE7F77DD90A6CA42B48A4C7FAD5F0BDDD17
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\ShaderCache\data_2

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):8192
                                                                                                                                                                                                                                        Entropy (8bit):0.011852361981932763
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:MsHlDll:/H
                                                                                                                                                                                                                                        MD5:0962291D6D367570BEE5454721C17E11
                                                                                                                                                                                                                                        SHA1:59D10A893EF321A706A9255176761366115BEDCB
                                                                                                                                                                                                                                        SHA-256:EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
                                                                                                                                                                                                                                        SHA-512:F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\ShaderCache\data_3

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):8192
                                                                                                                                                                                                                                        Entropy (8bit):0.012340643231932763
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:MsGl3ll:/y
                                                                                                                                                                                                                                        MD5:41876349CB12D6DB992F1309F22DF3F0
                                                                                                                                                                                                                                        SHA1:5CF26B3420FC0302CD0A71E8D029739B8765BE27
                                                                                                                                                                                                                                        SHA-256:E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
                                                                                                                                                                                                                                        SHA-512:E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\ShaderCache\index

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):262512
                                                                                                                                                                                                                                        Entropy (8bit):9.553120663130604E-4
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:LsNlOl/:Ls3
                                                                                                                                                                                                                                        MD5:89F3863BEC29ABB38394958B01A70A0B
                                                                                                                                                                                                                                        SHA1:248E9FE0FFF44ED190D5A886A370311ACF75053A
                                                                                                                                                                                                                                        SHA-256:A4050934EB14FB46236B18A164730BEABDB91B25DCD662A3B71671B6E76FEC18
                                                                                                                                                                                                                                        SHA-512:5A325384DEC333E0C4892BB544B94C98F90C79B71E25B676B4E6DEC563333303FB657F043B4DD82C0934050C74E2638439C7570B784E2FA6DCA1CA7645962BAB
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................*..ESu/.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\SmartScreen\RemoteData\customSettings

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):47
                                                                                                                                                                                                                                        Entropy (8bit):4.3818353308528755
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:2jRo6jhM6ceYcUtS2djIn:5I2uxUt5Mn
                                                                                                                                                                                                                                        MD5:48324111147DECC23AC222A361873FC5
                                                                                                                                                                                                                                        SHA1:0DF8B2267ABBDBD11C422D23338262E3131A4223
                                                                                                                                                                                                                                        SHA-256:D8D672F953E823063955BD9981532FC3453800C2E74C0CC3653D091088ABD3B3
                                                                                                                                                                                                                                        SHA-512:E3B5DB7BA5E4E3DE3741F53D91B6B61D6EB9ECC8F4C07B6AE1C2293517F331B716114BAB41D7935888A266F7EBDA6FABA90023EFFEC850A929986053853F1E02
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:customSettings_F95BA787499AB4FA9EFFF472CE383A14

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\SmartScreen\RemoteData\customSettings_F95BA787499AB4FA9EFFF472CE383A14

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):35
                                                                                                                                                                                                                                        Entropy (8bit):4.014438730983427
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:YDMGA2ADH/AYKEqsYq:YQXT/bKE1F
                                                                                                                                                                                                                                        MD5:BB57A76019EADEDC27F04EB2FB1F1841
                                                                                                                                                                                                                                        SHA1:8B41A1B995D45B7A74A365B6B1F1F21F72F86760
                                                                                                                                                                                                                                        SHA-256:2BAE8302F9BD2D87AE26ACF692663DF1639B8E2068157451DA4773BD8BD30A2B
                                                                                                                                                                                                                                        SHA-512:A455D7F8E0BE9A27CFB7BE8FE0B0E722B35B4C8F206CAD99064473F15700023D5995CC2C4FAFDB8FBB50F0BAB3EC8B241E9A512C0766AAAE1A86C3472C589FFD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:{"forceServiceDetermination":false}

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\SmartScreen\RemoteData\customSynchronousLookupUris

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):29
                                                                                                                                                                                                                                        Entropy (8bit):3.922828737239167
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:2NGw+K+:fwZ+
                                                                                                                                                                                                                                        MD5:7BAAFE811F480ACFCCCEE0D744355C79
                                                                                                                                                                                                                                        SHA1:24B89AE82313084BB8BBEB9AD98A550F41DF7B27
                                                                                                                                                                                                                                        SHA-256:D5743766AF0312C7B7728219FC24A03A4FB1C2A54A506F337953FBC2C1B847C7
                                                                                                                                                                                                                                        SHA-512:70FE1C197AF507CC0D65E99807D245C896A40A4271BA1121F9B621980877B43019E584C48780951FC1AD2A5D7D146FC6EA4678139A5B38F9B6F7A5F1E2E86BA3
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:customSynchronousLookupUris_0

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\SmartScreen\RemoteData\customSynchronousLookupUris_0

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):35302
                                                                                                                                                                                                                                        Entropy (8bit):7.99333285466604
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:768:rRhaFePY38QBsj61g3g01LXoDGPpgb8KbMcnjrQCckBuJyqk3x8cBBT:rLP+TBK6ZQLXSsaMcnHQQcox80
                                                                                                                                                                                                                                        MD5:0E06E28C3536360DE3486B1A9E5195E8
                                                                                                                                                                                                                                        SHA1:EB768267F34EC16A6CCD1966DCA4C3C2870268AB
                                                                                                                                                                                                                                        SHA-256:F2658B1C913A96E75B45E6ADB464C8D796B34AC43BAF1635AA32E16D1752971C
                                                                                                                                                                                                                                        SHA-512:45F1E909599E2F63372867BC359CF72FD846619DFEB5359E52D5700E0B1BCFFE5FF07606511A3BFFDDD933A0507195439457E4E29A49EB6451F26186B7240041
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.......murmur3.....IN...9.......0..X..#l....C....]......pv..E..........,..?.N?....V..B-.*.F.1....g|..._.>'.-(V... .=.7P.m....#}.r.....>.LE...G.A.h5........J..=..L^-.Zl++,..h..o.y..~j.]u...W...&s.........M..........h3b..[.5.]..V^w.........a.*...6g3..%.gy../{|Z.B..X.}5.]..t.1.H&B.[.).$Y......2....L.t...{...[WE.yy.]..e.v0..\.J3..T.`1Lnh.../..-=w...W.&N7.nz.P...z......'i..R6....../....t.[..&-.....T&l..e....$.8.."....Iq....J.v..|.6.M...zE...a9uw..'.$6.L..m$......NB).JL.G.7}8(`....J.)b.E.m...c.0I.V...|$....;.k.......*8v..l.:..@.F.........K..2...%(...kA......LJd~._A.N.....$3...5....Z"...X=.....%.........6.k.....F..1..l,ia..i.i....y.M..Cl.....*...}.I..r..-+=b.6....%...#...W..K.....=.F....~.....[.......-...../;....~.09..d.....GR..H.lR...m.Huh9.:..A H./)..D.F..Y.n7.....7D.O.a;>Z.K....w...sq..qo3N...8@.zpD.Ku......+.Z=.zNFgP._@.z.ic.......3.....+..j...an%...X..7.q..A.l.7.S2..+....1.s.b..z...@v..!.y...N.C.XQ.p.\..x8(.<.....cq.(

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\SmartScreen\RemoteData\edgeSettings

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):81
                                                                                                                                                                                                                                        Entropy (8bit):4.3439888556902035
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:kDnaV6bVsFUIMf1HDOWg3djTHXoSWDSQ97P:kDYaoUIe1HDM3oskP
                                                                                                                                                                                                                                        MD5:177F4D75F4FEE84EF08C507C3476C0D2
                                                                                                                                                                                                                                        SHA1:08E17AEB4D4066AC034207420F1F73DD8BE3FAA0
                                                                                                                                                                                                                                        SHA-256:21EE7A30C2409E0041CDA6C04EEE72688EB92FE995DC94487FF93AD32BD8F849
                                                                                                                                                                                                                                        SHA-512:94FC142B3CC4844BF2C0A72BCE57363C554356C799F6E581AA3012E48375F02ABD820076A8C2902A3C6BE6AC4D8FA8D4F010D4FF261327E878AF5E5EE31038FB
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\SmartScreen\RemoteData\edgeSettings_2.0-0

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3581
                                                                                                                                                                                                                                        Entropy (8bit):4.459693941095613
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:JTMhnytNaSA4BOsNQNhnUZTFGKDIWHCgL5tfHaaJzRHF+P1sYmnfHUdT+GWBH7Y/:KyMot7vjFU
                                                                                                                                                                                                                                        MD5:BDE38FAE28EC415384B8CFE052306D6C
                                                                                                                                                                                                                                        SHA1:3019740AF622B58D573C00BF5C98DD77F3FBB5CD
                                                                                                                                                                                                                                        SHA-256:1F4542614473AE103A5EE3DEEEC61D033A40271CFF891AAA6797534E4DBB4D20
                                                                                                                                                                                                                                        SHA-512:9C369D69298EBF087412EDA782EE72AFE5448FD0D69EA5141C2744EA5F6C36CDF70A51845CDC174838BAC0ADABDFA70DF6AEDBF6E7867578AE7C4B7805A8B55E
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:{"models":[],"geoidMaps":{"gw_my":"https://malaysia.smartscreen.microsoft.com/","gw_tw":"https://taiwan.smartscreen.microsoft.com/","gw_at":"https://austria.smartscreen.microsoft.com/","gw_es":"https://spain.smartscreen.microsoft.com/","gw_pl":"https://poland.smartscreen.microsoft.com/","gw_se":"https://sweden.smartscreen.microsoft.com/","gw_kr":"https://southkorea.smartscreen.microsoft.com/","gw_br":"https://brazil.smartscreen.microsoft.com/","au":"https://australia.smartscreen.microsoft.com/","dk":"https://denmark.smartscreen.microsoft.com/","gw_sg":"https://singapore.smartscreen.microsoft.com/","gw_fr":"https://france.smartscreen.microsoft.com/","gw_ca":"https://canada.smartscreen.microsoft.com/","test":"https://eu-9.smartscreen.microsoft.com/","gw_il":"https://israel.smartscreen.microsoft.com/","gw_au":"https://australia.smartscreen.microsoft.com/","gw_ffl4mod":"https://unitedstates4.ss.wd.microsoft.us/","gw_ffl4":"https://unitedstates1.ss.wd.microsoft.us/","gw_eu":"https://europe.

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\SmartScreen\RemoteData\edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):130439
                                                                                                                                                                                                                                        Entropy (8bit):3.80180718117079
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:RlIyFAMrwvaGbyLWzDr6PDofI8vsUnPRLz+PMh:weWGP7Eh
                                                                                                                                                                                                                                        MD5:EB75CEFFE37E6DF9C171EE8380439EDA
                                                                                                                                                                                                                                        SHA1:F00119BA869133D64E4F7F0181161BD47968FA23
                                                                                                                                                                                                                                        SHA-256:48B11410DC937A1723BF4C5AD33ECDB286D8EC69544241BC373F753E64B396C1
                                                                                                                                                                                                                                        SHA-512:044C5113D877CE2E3B42CF07670620937ED7BE2D8B3BF2BAB085C43EF4F64598A7AC56328DDBBE7F0F3CFB9EA49D38CA332BB4ECBFEDBE24AE53B14334A30C8E
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:{.. "geoidMaps": {.. "au": "https://australia.smartscreen.microsoft.com/",.. "ch": "https://switzerland.smartscreen.microsoft.com/",.. "eu": "https://europe.smartscreen.microsoft.com/",.. "ffl4": "https://unitedstates1.ss.wd.microsoft.us/",.. "ffl4mod": "https://unitedstates4.ss.wd.microsoft.us/",.. "ffl5": "https://unitedstates2.ss.wd.microsoft.us/",.. "in": "https://india.smartscreen.microsoft.com/",.. "test": "https://eu-9.smartscreen.microsoft.com/",.. "uk": "https://unitedkingdom.smartscreen.microsoft.com/",.. "us": "https://unitedstates.smartscreen.microsoft.com/",.. "gw_au": "https://australia.smartscreen.microsoft.com/",.. "gw_ch": "https://switzerland.smartscreen.microsoft.com/",.. "gw_eu": "https://europe.smartscreen.microsoft.com/",.. "gw_ffl4": "https://unitedstates1.ss.wd.microsoft.us/",.. "gw_ffl4mod": "https://unitedstates4.ss.wd.microsoft.us/",.. "gw_ffl5": "https://unitedstates2.ss.wd.microsoft.us/",.. "gw_in": "https

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\SmartScreen\RemoteData\synchronousLookupUris

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):40
                                                                                                                                                                                                                                        Entropy (8bit):4.346439344671015
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:kfKbUPVXXMVQX:kygV5
                                                                                                                                                                                                                                        MD5:6A3A60A3F78299444AACAA89710A64B6
                                                                                                                                                                                                                                        SHA1:2A052BF5CF54F980475085EEF459D94C3CE5EF55
                                                                                                                                                                                                                                        SHA-256:61597278D681774EFD8EB92F5836EB6362975A74CEF807CE548E50A7EC38E11F
                                                                                                                                                                                                                                        SHA-512:C5D0419869A43D712B29A5A11DC590690B5876D1D95C1F1380C2F773CA0CB07B173474EE16FE66A6AF633B04CC84E58924A62F00DCC171B2656D554864BF57A4
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:synchronousLookupUris_638343870221005468

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\SmartScreen\RemoteData\synchronousLookupUris_636976985063396749.rel.v2

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):35302
                                                                                                                                                                                                                                        Entropy (8bit):7.99333285466604
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:768:rRhaFePY38QBsj61g3g01LXoDGPpgb8KbMcnjrQCckBuJyqk3x8cBBT:rLP+TBK6ZQLXSsaMcnHQQcox80
                                                                                                                                                                                                                                        MD5:0E06E28C3536360DE3486B1A9E5195E8
                                                                                                                                                                                                                                        SHA1:EB768267F34EC16A6CCD1966DCA4C3C2870268AB
                                                                                                                                                                                                                                        SHA-256:F2658B1C913A96E75B45E6ADB464C8D796B34AC43BAF1635AA32E16D1752971C
                                                                                                                                                                                                                                        SHA-512:45F1E909599E2F63372867BC359CF72FD846619DFEB5359E52D5700E0B1BCFFE5FF07606511A3BFFDDD933A0507195439457E4E29A49EB6451F26186B7240041
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.......murmur3.....IN...9.......0..X..#l....C....]......pv..E..........,..?.N?....V..B-.*.F.1....g|..._.>'.-(V... .=.7P.m....#}.r.....>.LE...G.A.h5........J..=..L^-.Zl++,..h..o.y..~j.]u...W...&s.........M..........h3b..[.5.]..V^w.........a.*...6g3..%.gy../{|Z.B..X.}5.]..t.1.H&B.[.).$Y......2....L.t...{...[WE.yy.]..e.v0..\.J3..T.`1Lnh.../..-=w...W.&N7.nz.P...z......'i..R6....../....t.[..&-.....T&l..e....$.8.."....Iq....J.v..|.6.M...zE...a9uw..'.$6.L..m$......NB).JL.G.7}8(`....J.)b.E.m...c.0I.V...|$....;.k.......*8v..l.:..@.F.........K..2...%(...kA......LJd~._A.N.....$3...5....Z"...X=.....%.........6.k.....F..1..l,ia..i.i....y.M..Cl.....*...}.I..r..-+=b.6....%...#...W..K.....=.F....~.....[.......-...../;....~.09..d.....GR..H.lR...m.Huh9.:..A H./)..D.F..Y.n7.....7D.O.a;>Z.K....w...sq..qo3N...8@.zpD.Ku......+.Z=.zNFgP._@.z.ic.......3.....+..j...an%...X..7.q..A.l.7.S2..+....1.s.b..z...@v..!.y...N.C.XQ.p.\..x8(.<.....cq.(

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\SmartScreen\RemoteData\synchronousLookupUris_638343870221005468

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):57
                                                                                                                                                                                                                                        Entropy (8bit):4.556488479039065
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:GSCIPPlzYxi21goD:bCWBYx99D
                                                                                                                                                                                                                                        MD5:3A05EAEA94307F8C57BAC69C3DF64E59
                                                                                                                                                                                                                                        SHA1:9B852B902B72B9D5F7B9158E306E1A2C5F6112C8
                                                                                                                                                                                                                                        SHA-256:A8EF112DF7DAD4B09AAA48C3E53272A2EEC139E86590FD80E2B7CBD23D14C09E
                                                                                                                                                                                                                                        SHA-512:6080AEF2339031FAFDCFB00D3179285E09B707A846FD2EA03921467DF5930B3F9C629D37400D625A8571B900BC46021047770BAC238F6BAC544B48FB3D522FB0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:9.......murmur3.............,M.h...Z...8.\..<&Li.H..[.?m

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\SmartScreen\RemoteData\topTraffic

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):29
                                                                                                                                                                                                                                        Entropy (8bit):4.030394788231021
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:0xXeZUSXkcVn:0Re5kcV
                                                                                                                                                                                                                                        MD5:52E2839549E67CE774547C9F07740500
                                                                                                                                                                                                                                        SHA1:B172E16D7756483DF0CA0A8D4F7640DD5D557201
                                                                                                                                                                                                                                        SHA-256:F81B7B9CE24F5A2B94182E817037B5F1089DC764BC7E55A9B0A6227A7E121F32
                                                                                                                                                                                                                                        SHA-512:D80E7351E4D83463255C002D3FDCE7E5274177C24C4C728D7B7932D0BE3EBCFEB68E1E65697ED5E162E1B423BB8CDFA0864981C4B466D6AD8B5E724D84B4203B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:topTraffic_638004170464094982

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\SmartScreen\RemoteData\topTraffic_170540185939602997400506234197983529371

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):575056
                                                                                                                                                                                                                                        Entropy (8bit):7.999649474060713
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:12288:fXdhUG0PlM/EXEBQlbk19RrH76Im4u8C1jJodha:Ji80e9Rb7Tm4u8CnR
                                                                                                                                                                                                                                        MD5:BE5D1A12C1644421F877787F8E76642D
                                                                                                                                                                                                                                        SHA1:06C46A95B4BD5E145E015FA7E358A2D1AC52C809
                                                                                                                                                                                                                                        SHA-256:C1CE928FBEF4EF5A4207ABAFD9AB6382CC29D11DDECC215314B0522749EF6A5A
                                                                                                                                                                                                                                        SHA-512:FD5B100E2F192164B77F4140ADF6DE0322F34D7B6F0CF14AED91BACAB18BB8F195F161F7CF8FB10651122A598CE474AC4DC39EDF47B6A85C90C854C2A3170960
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...._+jE.`..}....S..1....G}s..E....y".Wh.^.W.H...-...#.A...KR...9b........>k......bU.IVo...D......Y..[l.yx.......'c=..I0.....E.d...-...1 ....m../C...OQ.........qW..<:N.....38.u..X-..s....<..U.,Mi..._.......`.Y/.........^..,.E..........j@..G8..N.... ..Ea...4.+.79k.!T.-5W..!..@+..!.P..LDG.....V."....L.... .(#..$..&......C.....%A.T}....K_.S..'Q.".d....s....(j.D!......Ov..)*d0)."(..%..-..G..L.}....i.....m9;.....t.w..0....f?..-..M.c.3.....N7K.T..D>.3.x...z..u$5!..4..T.....U.O^L{.5..=E..'..;.}(|.6.:..f!.>...?M.8......P.D.J.I4.<...*.y.E....>....i%.6..Y.@..n.....M..r..C.f.;..<..0.H...F....h.......HB1]1....u..:...H..k....B.Q..J...@}j~.#...'Y.J~....I...ub.&..L[z..1.W/.Ck....M.......[.......N.F..z*.{nZ~d.V.4.u.K.V.......X.<p..cz..>*....X...W..da3(..g..Z$.L4.j=~.p.l.\.[e.&&.Y ...U)..._.^r0.,.{_......`S..[....(.\..p.bt.g..%.$+....f.....d....Im..f...W ......G..i_8a..ae..7....pS.....z-H..A.s.4.3..O.r.....u.S......a.}..v.-/..... ...a.x#./:...sS&U.().xL...pg

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\SmartScreen\RemoteData\topTraffic_638004170464094982

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:raw G3 (Group 3) FAX, byte-padded
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):460992
                                                                                                                                                                                                                                        Entropy (8bit):7.999625908035124
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:12288:KaRwcD8XXTZGZJHXBjOVX3xFttENr4+3eGPnKvJWXrydqb:KaR5oZ2MBFt8r4+3eG/URdqb
                                                                                                                                                                                                                                        MD5:E9C502DB957CDB977E7F5745B34C32E6
                                                                                                                                                                                                                                        SHA1:DBD72B0D3F46FA35A9FE2527C25271AEC08E3933
                                                                                                                                                                                                                                        SHA-256:5A6B49358772DB0B5C682575F02E8630083568542B984D6D00727740506569D4
                                                                                                                                                                                                                                        SHA-512:B846E682427CF144A440619258F5AA5C94CAEE7612127A60E4BD3C712F8FF614DA232D9A488E27FC2B0D53FD6ACF05409958AEA3B21EA2C1127821BD8E87A5CA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...2lI.5.<C.;.{....._+jE.`..}....-...#.A...KR...l.M0,s...).9..........x.......F.b......jU....y.h'....L<...*..Z..*%.*..._...g.4yu...........'c=..I0..........qW..<:N....<..U.,Mi..._......'(..U.9.!........u....7...4. ..Ea...4.+.79k.!T.-5W..!..@+..$..t|1.E..7F...+..xf....z&_Q...-.B...)8R.c....0.......B.M.Z...0....&v..<..H...3.....N7K.T..D>.8......P.D.J.I4.B.H.VHy...@.Wc.Cl..6aD..j.....E..*4..mI..X]2.GH.G.L...E.F.=.J...@}j~.#...'Y.L[z..1.W/.Ck....L..X........J.NYd........>...N.F..z*.{nZ~d.N..../..6.\L...Q...+.w..p...>.S.iG...0]..8....S..)`B#.v..^.*.T.?...Z.rz.D'.!.T.w....S..8....V.4.u.K.V.......W.6s...Y.).[.c.X.S..........5.X7F...tQ....z.L.X..(3#j...8...i.[..j$.Q....0...]"W.c.H..n..2Te.ak...c..-F(..W2.b....3.]......c.d|.../....._...f.....d....Im..g.b..R.q.<x*x...i2..r.I()Iat..b.j.r@K.+5..C.....nJ.>*P,.V@.....s.4.3..O.r.....smd7...L.....].u&1../t.*.......uXb...=@.....wv......]....#.{$.w......i.....|.....?....E7...}$+..t).E.U..Q..~.`.)..Y@.6.h.......%(

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\SmartScreen\local\uriCache

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):9
                                                                                                                                                                                                                                        Entropy (8bit):3.169925001442312
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:CMzOn:CM6
                                                                                                                                                                                                                                        MD5:B6F7A6B03164D4BF8E3531A5CF721D30
                                                                                                                                                                                                                                        SHA1:A2134120D4712C7C629CDCEEF9DE6D6E48CA13FA
                                                                                                                                                                                                                                        SHA-256:3D6F3F8F1456D7CE78DD9DFA8187318B38E731A658E513F561EE178766E74D39
                                                                                                                                                                                                                                        SHA-512:4B473F45A5D45D420483EA1D9E93047794884F26781BBFE5370A554D260E80AD462E7EEB74D16025774935C3A80CBB2FD1293941EE3D7B64045B791B365F2B63
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:uriCache_

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\SmartScreen\local\uriCache_

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):482
                                                                                                                                                                                                                                        Entropy (8bit):5.001819739777336
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:YWLSGgm1kv/NnqB5JfGMfaAIVj/T8n+fn/dHJ21faAIVj/T8nVi:YWLSVm1kQ7pzIJR/C1zIJyi
                                                                                                                                                                                                                                        MD5:7F6FFFFF505A97F64E99FCB09F022D50
                                                                                                                                                                                                                                        SHA1:F886DEB44575F5FB9726923B74BCCC9A1054D475
                                                                                                                                                                                                                                        SHA-256:FB7551DE50357F6C929F48374527DC1F583619B273C315D05CA45D98902BB869
                                                                                                                                                                                                                                        SHA-512:664B91610B36EE926BD2D7F730CB22D6703F50170B5272727F5756D50B6ADDF3D67D9F5D34AD875FBFD4D5CD2630FAC5A6F2727AB0469CB5CAF04BE01FA1640F
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:{"version":1,"cache_data":[{"file_hash":"5d91a5ad61de177d","server_context":"1;c5faad59-a2e3-31f2-b86e-aaf958e12824;phsh:005;7e-05","result":0,"expiration_time":1713955989778271},{"file_hash":"fe6d7e41cf4ceedc","server_context":"1;f94c025f-7523-6972-b613-ce2c246c55ce;unkn:100;0.01","result":1,"expiration_time":1713955989283320},{"file_hash":"6590fbc8306c5848","server_context":"1;f94c025f-7523-6972-b613-ce2c246c55ce;unkn:100;0.01","result":1,"expiration_time":1713955987705521}]}

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\Variations

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):86
                                                                                                                                                                                                                                        Entropy (8bit):4.3751917412896075
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:YQ3JYq9xSs0dMEJAELJ2rjozQan:YQ3Kq9X0dMgAEwjM
                                                                                                                                                                                                                                        MD5:961E3604F228B0D10541EBF921500C86
                                                                                                                                                                                                                                        SHA1:6E00570D9F78D9CFEBE67D4DA5EFE546543949A7
                                                                                                                                                                                                                                        SHA-256:F7B24F2EB3D5EB0550527490395D2F61C3D2FE74BB9CB345197DAD81B58B5FED
                                                                                                                                                                                                                                        SHA-512:535F930AFD2EF50282715C7E48859CC2D7B354FF4E6C156B94D5A2815F589B33189FFEDFCAF4456525283E993087F9F560D84CFCF497D189AB8101510A09C472
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:{"user_experience_metrics.stability.exited_cleanly":false,"variations_crash_streak":0}

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\c7dca3e9-ac50-4745-a720-d3349d5e5580.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):953
                                                                                                                                                                                                                                        Entropy (8bit):5.720179303579692
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:YKWJu5rrtSU+huPXtWNBLaeCiWOaKbvXXoQQRCYfYg:Yqf0U+huPXoNBLZ3aMvnNB0
                                                                                                                                                                                                                                        MD5:44643104611B727DD70E748765AD3591
                                                                                                                                                                                                                                        SHA1:2AF521118AF866A79C3C9CEFD56B3EDE93B41276
                                                                                                                                                                                                                                        SHA-256:71B63AABC62FE5663D7C819D95D3C6244C9888C523B4407864F860242B8FEF8C
                                                                                                                                                                                                                                        SHA-512:1F4A5DFEEC91EAC94F3B7849F415CB316FE8DC8C0C8AF4B72C8EEA72FA8DCEB218D707298168CFF198822B94B2341F7D8610AC4935F2D2EAB603139FF34A7D12
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:{"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAACh951LgvM2Qb9CwsFGCkzdEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAABD0qrA/1M2p05las89SFLH91gcRTRuy3aQSBO5tqZSvgAAAAAOgAAAAAIAACAAAABvmV3+MdX6Tqq0Bne9+d2sllxMMMvq21CapH5IOt/bdDAAAAB6o6CQC/aMQy3isabs6KYzngVUBU9TDWo8ft2NTWf9YP+eJ3+yMcqsQR1zHN+zbQBAAAAAaITLD8g/baji/7MOyJleUSl4xE+6rkfDHA0FqCbDO1yWRn2SHa0V39TZ3hxwvYWQmMKGSyWu9aGUE02N+LtCUQ=="},"uninstall_metrics":{"installation_date2":"1713850820"},"user_experience_metrics":{"client_id2":"{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}C:\\Users\\user0s:92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A","diagnostics":{"last_data_collection_level_on_launch":1},"low_entropy_source3":3565,"pseudo_low_entropy_source":1920,"reset_client_id_deterministic":true,"stability":{"browser_last_live_timestamp":"13358324420587612","stats_buildtime":"1695934310","stats_version":"117.0.2045.47-64","system_crash_count":0}}}

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\ec00d088-0ef2-4c4d-9272-04653aeb09f6.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2903
                                                                                                                                                                                                                                        Entropy (8bit):5.308337934084308
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:YDEFMsFiHGS0af0U+huPXowoe3p8QSh/cIgwLURMYXylVotoWRZ5K1DsHB+1lzdf:PNkGS1f05gQe58rh/cI9URoDotomtBcz
                                                                                                                                                                                                                                        MD5:C805A899D97DA5E9CACE411E2C1752A5
                                                                                                                                                                                                                                        SHA1:AFF47653F29654F55234ADAF04CDCCC6E3CFCE9B
                                                                                                                                                                                                                                        SHA-256:9E7371069147174E86412BA8D6FFBB282AAF18E095D9EAF4A18CD3D9BE462816
                                                                                                                                                                                                                                        SHA-512:92ECC94A8B7378655BF083274C37CDA458435FEDA81C1CD41050B2F91DE0E98237F19DF6EE4236C8DCD37FF3AD0BDFF69931213B0F2A432D537E1CEEF00BF49F
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:{"dual_user":{"ie_to_edge":{"redirection_mode":0}},"edge":{"tab_stabs":{"closed_without_unfreeze_never_unfrozen":0,"closed_without_unfreeze_previously_unfrozen":0,"discard_without_unfreeze_never_unfrozen":0,"discard_without_unfreeze_previously_unfrozen":0},"tab_stats":{"frozen_daily":0,"unfrozen_daily":0}},"fre":{"oem_bookmarks_set":true},"hardware_acceleration_mode_previous":true,"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAACh951LgvM2Qb9CwsFGCkzdEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAABD0qrA/1M2p05las89SFLH91gcRTRuy3aQSBO5tqZSvgAAAAAOgAAAAAIAACAAAABvmV3+MdX6Tqq0Bne9+d2sllxMMMvq21CapH5IOt/bdDAAAAB6o6CQC/aMQy3isabs6KYzngVUBU9TDWo8ft2NTWf9YP+eJ3+yMcqsQR1zHN+zbQBAAAAAaITLD8g/baji/7MOyJleUSl4xE+6rkfDHA0FqCbDO1yWRn2SHa0V39TZ3hxwvYWQmMKGSyWu9aGUE02N+LtCUQ=="},"policy":{"last_statistics_update":"13358324420959748"},"profile":{"info_cache":{"Default":{"avatar_icon":"chrome://t

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\BitComet\EBWebView\fb8d34e3-e5a6-402c-9839-7a309690a1ef.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17974
                                                                                                                                                                                                                                        Entropy (8bit):6.06690845072659
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:nDF5g/rZP0/jpq4eVYCxmxf91UM2ONlj1V0tNMuWQHKh3:DF5kruq4eV5xmx3Q7tGuWEG
                                                                                                                                                                                                                                        MD5:7DD87144374CD6595D0266EE2715A6A1
                                                                                                                                                                                                                                        SHA1:DADDB98C00F119C2C21BE13B6E3428446D2B1C26
                                                                                                                                                                                                                                        SHA-256:E59DF0972C814D5EBAE97058E33CE6A3063E8ECA7462047A97A96A4F2973DF30
                                                                                                                                                                                                                                        SHA-512:C0C4CF6F58DF4C9BD40D327BAAEE2E2DB4FC3D36EC19F36DC0A1928364F0112A3397D0BBA8763BD06AC6738BC34794340088E9332813E0D23C92E44657E621C8
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:{"domain_actions_config":"H4sIAAAAAAAAAL19a3PktrH2X1HpU5LyQNLe5M355HeziV3Jxi5nU656T6VUIIghIYIAF5eZ4bj83083ONJKOwRmmutzPngtUXxwY6Nv6G78evmdqa1z/N/f/biRzqlaXv7510s+DFoJHpQ1/vLP//2fby4HCw+UxN9+vTS8h9cu39eN/Pd3l99chnHA3wfuguL6ZzloLmQvTYC/bbiO+MfvoEn5i6z+rsLV65e37OWbiz/8/fuPH/7xzYVWnbz4mxSd/ePFu9bZXl7dXrNr9vL1y2/ZzfWLi3/xNXfqAYbdXt3AX25v37y8/O2bx/FM2KcjkvDqR9tJMz+mp+C/2H/a8LgGjy3Uzx4/eR9H8fbt/8rk376Fyb/69tUrdvvqeO7Tn29uXl+z16+Pp/9/Pqa5LwBE9U4r6O97ZYIvf4+jdw8D/PXSS7ES7SryFa/rRHiV4wZ+uvybtY2Wh7Fd/gb0+fldJ3u7Afx/X35Qwllv1yGRzCW8Fb10d7yBzu7sI7kDGWAL8LsHer/8881v31zyzc2dsLUUd2vJQ3TyTrSwHk9QR5vk8EDWd2mvjNDwj0P4MeKa17bnCpq+NDKstdoxYfu0budDfIi1sn5CZjbkI/iw3N9tbt7hJP46zeEdTuHwztGMRd1TZ2f0+H43WC9/0nz8WfJ6fDpur5VpChN9RP8CPW6UkU/BwUYWNkuQPd/Bz5IddisRzSuxeMgbhgi5FK/5LVNhCXK3VkaFcWnHWx5EC6MXtkSXxSZUAwOQ0IazDRDV0mYq2Pgiug225Fu+ZYIvaaaVuMU28BcbnDVLRyMczMkB/YuWGyP10nZM4KFFklz6fex2cNID0/KDjosXd9PuFm6pNuq4tFd4nX2KSnTwUYaljfxF+fY7M25b6WSZAc6ypAM3xEcuPXoisWY7PgAenxwzyyQaaOzye3jzw/p7uRGJJ9NYRwFsQGxKUOKKC3OMP8zx6c

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RAVEndPointProtection-installer.exe.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:CSV text
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2777
                                                                                                                                                                                                                                        Entropy (8bit):5.360797665263905
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:MxHKQwYHKGSI6ouHlJH/lEHuFKHKSqtHTHhAHKKk9H6HNp51qHGIs0HKS8mHDp6q:iqbYqGSI6ou/fmOYqSqtzHeqKk9atp5G
                                                                                                                                                                                                                                        MD5:9AB025225AB007D87A072B6151338CBD
                                                                                                                                                                                                                                        SHA1:72D19468FA5450D99F29F8DCA047E63260751958
                                                                                                                                                                                                                                        SHA-256:3D7C3D5921DA186FDC9C912EC11CAC4A968B9C77418A330782A5A7419C9EBF66
                                                                                                                                                                                                                                        SHA-512:025826B31F5485C87C30A93CB3B25B7017D2E7EEAD73EB8411CF3492DF34AD335A2E8F17CBB5ADE2AFE9B0A3F0286F506FA332D89ED8E69C3E3CAE22F79E60D0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_64\WindowsBase\95a5c1baa004b986366d34856f0a5a75\WindowsBase.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_64\PresentationCore\ef4e808cb158d79ab9a2b049f8fab733\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_64\Presentatio5ae0f00f#\

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2278
                                                                                                                                                                                                                                        Entropy (8bit):3.855244678872742
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:uiTrlKxrgxYxl9Il8uXLB0eKP4ZyM9nOa5T5Jzrpf5Kzd1rc:m1YNCeKMT9nOad5JzrpxKU
                                                                                                                                                                                                                                        MD5:97FBB6A469ECA1D3FBB5806521BD0362
                                                                                                                                                                                                                                        SHA1:0D8FB5D42CA6170AFC4E4F34209446B8662823B7
                                                                                                                                                                                                                                        SHA-256:5FECA8BE52C6DEC6D5EEDA834473154BFE70120A7178217786D8C97F5045D645
                                                                                                                                                                                                                                        SHA-512:4A3387BEF226FD22AE3F5AD3C28B1345C5C2EBF8DE9B9953C6A567A98D0E21C27B417FD99DA9C59B7130D99F887068CA2DA0D97EC863418F40D0B29CB8B9420A
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".W.i.p.w.W.M.+.N.H.l.b.C.D.m.s.Z.p.8.S.O.s.j.h.t.F.B.s.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.I.M.2.I.k.m.V.2.g.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.A.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.o.f.e.d.S.4.

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\analytics[1].js

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (2343)
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):52916
                                                                                                                                                                                                                                        Entropy (8bit):5.51283890397623
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:oHzaMKHBCwsZtisP5XqYofL+qviHOlTjdNoVJDe6VyKaqgYUD0ZTTE8yVfZsk:caMKH125hYiM8O9dNoVJ3N48yVL
                                                                                                                                                                                                                                        MD5:575B5480531DA4D14E7453E2016FE0BC
                                                                                                                                                                                                                                        SHA1:E5C5F3134FE29E60B591C87EA85951F0AEA36EE1
                                                                                                                                                                                                                                        SHA-256:DE36E50194320A7D3EF1ACE9BD34A875A8BD458B253C061979DD628E9BF49AFD
                                                                                                                                                                                                                                        SHA-512:174E48F4FB2A7E7A0BE1E16564F9ED2D0BBCC8B4AF18CB89AD49CF42B1C3894C8F8E29CE673BC5D9BC8552F88D1D47294EE0E216402566A3F446F04ACA24857A
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:(function(){/*.. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0.*/.var n=this||self,p=function(a,b){a=a.split(".");var c=n;a[0]in c||"undefined"==typeof c.execScript||c.execScript("var "+a[0]);for(var d;a.length&&(d=a.shift());)a.length||void 0===b?c=c[d]&&c[d]!==Object.prototype[d]?c[d]:c[d]={}:c[d]=b};function q(){for(var a=r,b={},c=0;c<a.length;++c)b[a[c]]=c;return b}function u(){var a="ABCDEFGHIJKLMNOPQRSTUVWXYZ";a+=a.toLowerCase()+"0123456789-_";return a+"."}var r,v;.function aa(a){function b(k){for(;d<a.length;){var m=a.charAt(d++),l=v[m];if(null!=l)return l;if(!/^[\s\xa0]*$/.test(m))throw Error("Unknown base64 encoding at char: "+m);}return k}r=r||u();v=v||q();for(var c="",d=0;;){var e=b(-1),f=b(0),h=b(64),g=b(64);if(64===g&&-1===e)return c;c+=String.fromCharCode(e<<2|f>>4);64!=h&&(c+=String.fromCharCode(f<<4&240|h>>2),64!=g&&(c+=String.fromCharCode(h<<6&192|g)))}};var w={},y=function(a){w.TAGGING=w.TAGGING||[];w.TAGGING[a]=!0};var ba=Array.isArray,c

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\js[1].js

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (5955)
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):251603
                                                                                                                                                                                                                                        Entropy (8bit):5.569216669167485
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:u7JAZVNSNcMzszFeInv85jCBPIrTWRvYElfh6St2nBsLqJyHXDeltzvsX0ohh9A:kJAFMgzFesDLfh6St+aqJyHXDelJsXw
                                                                                                                                                                                                                                        MD5:4501BC91ADF4B9C1664D1A32EDC6FE20
                                                                                                                                                                                                                                        SHA1:26476FBFE0D0098B02FC2D967752DEA5D793E555
                                                                                                                                                                                                                                        SHA-256:98460E1808CDD7E131A691272E479A599A92931B1EF67F9137BFB18BE4836CF8
                                                                                                                                                                                                                                        SHA-512:09D6399C29C51B6C0175B22C2D49F78DCFD828BDC633FD832D4073A6EB4C6AA659ED3ED3808D84F7364A0971A5CB28516D6FD52C739D38A82B156326FE13ED9F
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.// Copyright 2012 Google Inc. All rights reserved.. .(function(){..var data = {."resource": {. "version":"2",. . "macros":[{"function":"__e"},{"vtp_signal":0,"function":"__c","vtp_value":0},{"function":"__c","vtp_value":""},{"function":"__c","vtp_value":0},{"vtp_signal":0,"function":"__c","vtp_value":0},{"function":"__c","vtp_value":""},{"function":"__c","vtp_value":0}],. "tags":[{"function":"__ogt_ga_send","priority":9,"vtp_value":true,"tag_id":15},{"function":"__ogt_session_timeout","priority":9,"vtp_sessionMinutes":30,"vtp_sessionHours":0,"tag_id":17},{"function":"__ogt_1p_data_v2","priority":9,"vtp_isAutoEnabled":true,"vtp_autoCollectExclusionSelectors":["list",["map","exclusionSelector",""]],"vtp_isEnabled":true,"vtp_cityType":"CSS_SELECTOR","vtp_manualEmailEnabled":false,"vtp_firstNameType":"CSS_SELECTOR","vtp_countryType":"CSS_SELECTOR","vtp_cityValue":"","vtp_emailType":"CSS_SELECTOR","vtp_regionType":"CSS_SELECTOR","vtp_autoEmailEnabled":true,"vtp_postalCodeValue":"","vtp

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\install-stats[1].htm

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exe
                                                                                                                                                                                                                                        File Type:HTML document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):835
                                                                                                                                                                                                                                        Entropy (8bit):5.447766157834978
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:WcispON5jcEMzIh51MCvHFSg1MD1nwzYM:XJpK5jc7zqICvHwzJiN
                                                                                                                                                                                                                                        MD5:13EFEFE842CA70D558F6C64D90034CE2
                                                                                                                                                                                                                                        SHA1:10D6455CA37702CC546878352CF9270DBA8BC155
                                                                                                                                                                                                                                        SHA-256:2E53AC7938062801AC5A7AF551449E3262BA69063D5B7F5DEAA0CFD3F6CA5410
                                                                                                                                                                                                                                        SHA-512:E137DA65D1ED4AAA34960D5188A214907ACC1EC91F5E7E1135B0A29F511EB2048C8061B704503A3DE2C2DBB61C24E9D6F7454C154A1BBD32E9B2F83F8C1137E8
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">..<html>..<head>..<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge" />..<title></title>.. Global site tag (gtag.js) - Google Analytics -->..<script async src="https://www.googletagmanager.com/gtag/js?id=UA-1053053-8"></script>..<script>.. window.dataLayer = window.dataLayer || [];.. function gtag(){dataLayer.push(arguments);}.. gtag('js', new Date());.... gtag('config', 'UA-1053053-8');..</script>..</head>....<body leftmargin="0" topmargin="0">.. <script src="http://www.google-analytics.com/urchin.js" type="text/javascript">..</script>..<script type="text/javascript">.._uacct = "UA-1053053-8";..try..{...urchinTracker();..}..catch(ex)..{..}..</script> -->..OK..</body>..</html>..

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\js[1].js

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (4179)
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):202289
                                                                                                                                                                                                                                        Entropy (8bit):5.536055973184919
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:AKAZVNSNcMzsz5/T8/9CBPIrTW77PeMfK6St2nBsLqQqJqt:TAFMgzXZxfK6St+aqQqJk
                                                                                                                                                                                                                                        MD5:AFFD3F5D13C821A30D71B6194D9C377D
                                                                                                                                                                                                                                        SHA1:5AAFCF74A48499BE3B14107A3D016A53AC19192B
                                                                                                                                                                                                                                        SHA-256:35264B5A8BAFC8EA8B4539D0E136EEDEB0E136FA1B0CAAB76A18C64FE6B122FE
                                                                                                                                                                                                                                        SHA-512:905E8C6E740AE264129EFE6EAEE738FE49CFE7D5FD6B1BEA2FC3799421256FCBAEE5BE8E62ABFBD8C5C153E00D10911DFB788589D24A5CFBE1CAC40C5F900A22
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.// Copyright 2012 Google Inc. All rights reserved.. .(function(){..var data = {."resource": {. "version":"1",. . "macros":[{"function":"__e"}],. "tags":[{"function":"__ogt_1p_data_v2","priority":2,"vtp_isAutoEnabled":true,"vtp_autoCollectExclusionSelectors":["list",["map","exclusionSelector",""]],"vtp_isEnabled":true,"vtp_autoEmailEnabled":true,"vtp_autoPhoneEnabled":false,"vtp_autoAddressEnabled":false,"vtp_isAutoCollectPiiEnabledFlag":false,"tag_id":6},{"function":"__ccd_ga_first","priority":1,"vtp_instanceDestinationId":"UA-1053053-8","tag_id":9},{"function":"__rep","vtp_containerId":"UA-1053053-8","vtp_remoteConfig":["map"],"tag_id":1},{"function":"__zone","vtp_childContainers":["list",["map","publicId","G-GQWSZ2BE7X"]],"vtp_inheritParentConfig":true,"vtp_enableConfiguration":false,"tag_id":3},{"function":"__ccd_ga_last","priority":0,"vtp_instanceDestinationId":"UA-1053053-8","tag_id":8}],. "predicates":[{"function":"_eq","arg0":["macro",0],"arg1":"gtm.js"},{"function":"_eq",

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\11e2d3ba-0266-45aa-bbb6-48e3bdcede4a.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 265574
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):59183
                                                                                                                                                                                                                                        Entropy (8bit):7.983145830436568
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:/31o2IsIxiP6U8Id4KWQcEN/PlpsB2s66OqLHBiA:/hQa8ILbjbfcHAA
                                                                                                                                                                                                                                        MD5:374790EF7C5BC8DE23AEFE837C2A1A65
                                                                                                                                                                                                                                        SHA1:54A03933A7ABC202CDD254A06094D1E2B1559BD4
                                                                                                                                                                                                                                        SHA-256:6B753F60FC1C9D33E98AA8FFFA36CCD41BD02A9AEFF23910F1B086C61DEC6BAE
                                                                                                                                                                                                                                        SHA-512:5DFBE6E019B7A76FC53E11FB438640DE2E8243BB9F81BD22F22E0068B99C0905F2FD83190E897C956AE0DD8940558E9CDD963AE292CE1AABCEFAEE4A36C63010
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:............s.G.0Z?..Bdxw.u...cl.0..).6/..e...A.@..@.4..?...2.......F|.MtWUWeee..w....u...a.W.5.M.....O....a..[.<s....-..F....[u............e[h.w..3.q...Q.j........#.......W.s....uX>./....r....&>...G.....@.F..q..|s/....^......=....\..#.._....=eVo.>4.F..f9.A..c......aH..r.e...%....O.~.....Q...r..r..e.6.3_.9).......r#...0.......m..z..!~......|g...~-.....}..u0..0.a..[.a..F.W.bi....s..w.9..o.J...".c|..8?N...}S.Y.0.`....x.\>;Ex.....vE.&..t.+.........q.m.=u.....a...w.....Kv..!~...!C...~.f.-.L.o..)B._..o.K.O.f....~..q1.w.e.S....c......Kh..Mqa.q......5.+....`....#...J...>.....+.......m'.~...^.c..R.F...)....l.Czz..A4.@:.4..3...{.k..|....%.&.....?...........CxV&.N...+..`........KW...q..r.V..mv...2.S.....E.8^..9(..K.9.u...$...o.D.q....f.V.`...3.!....T...).f.d.|...4.u.@..i'@MVO..%7..o.~u..C;.N.w.}U.m..+g..._o....b..J8.e.j.*.A......7G.........r..b....8....^...3'..x.){...C.m.=,.w.~Y.]X..'xV.%8...>........{.T{.'.A.....N.........P..w9.O..M..<. ....lqa....

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\6555431a-7a23-4e46-9987-89c87293cc97.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 300995
                                                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                                                        Size (bytes):99694
                                                                                                                                                                                                                                        Entropy (8bit):7.997571020635582
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:3072:6wvcXsnU5DQQraemHqi2iVHrfUXTSOMJ9GYX53s9u:6wFU50kn0TrfUXTyJZX53sQ
                                                                                                                                                                                                                                        MD5:9D8987848F64B8BF0DB2FB271910C3A8
                                                                                                                                                                                                                                        SHA1:2F8206AC63F6DFC6C7D8112BA3C0016401C736AD
                                                                                                                                                                                                                                        SHA-256:3FA29564506CE9AD1DB83A06DDF4D8CD5BEDBCDFC21D1E992D946940069E9DC0
                                                                                                                                                                                                                                        SHA-512:E2496DA096E8036C56D358F8F3099C4E324DB4C34DE8E73DA4518320BE5E4CAD299984D3EA34488731CCE37EBB38A94215B0300C2A64088F58BBF150FB2AE169
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...........y_..0.?........@....!@.... .....j+..m.`...VU.Z.I...}.7.R......z.....h|......hnT^.F.AX9H.zeg0..I%.'az.....J5.%.4.%......V.w.V.....F......U*.U.N .......6t.t4.Z.;K.....Cka.YW...$.%..j5l3.o........._........h.....n.......9>G.._m@.q...xzk..[..x.3............}p!yw4...t......!..Rl....ew`..Ps...iV.+.)h..~..q.........gG'||C7.......d...Lx.(N'...0,....i.....'.h..b{.%..#,..03...;.M..`w...6...I&y..%KFG.3E&.4...w.. ..W^..'......uy.w.......l.2...2..(|...W..'..es.C......=...\9........^8......*.......>}.}../.jb.I..I8=...`.O..j.El4..MM.t...... x...$...S\.D(-..\..}..S<>!...~..........xN.2.o..X.S..e....<...yt.7..n.}.,.O@..?..3:...I8CL..4.\..*....t4...O....;..._..AB.O..`t....@.M|....H.._...>.??=x.a..vFb.+.~..n.B/.....d0r..z..F......N....fY..C....s..T.Z............g.o.....a....8.6...Z........0.f......._.X}...'.s..J..@zB7..F...z./....Vt..'6K./.}..^..........Wq....n..M.9.6...@.p.^..3:.!x..u2........9z.m.}....?....7....g....FL.R>[c.....^.{.-hh..

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\d9db01ef-6ca9-4a67-9ceb-a5627eadd5df.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        File Type:GIF image data, version 89a, 32 x 32
                                                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                                                        Size (bytes):1787
                                                                                                                                                                                                                                        Entropy (8bit):7.414935763896265
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:3WlS79lzzM5C0xOdPSsruXjidF8d7wRScVaUgVLI:3WQ799M5hgdPbu2SzcVaUgJI
                                                                                                                                                                                                                                        MD5:50C5E3E79B276C92DF6CC52CAEB464F0
                                                                                                                                                                                                                                        SHA1:C641615E851254111E268DA42D72AE684B3CE967
                                                                                                                                                                                                                                        SHA-256:16EA0CF66D51EFDBBC2A62B11AB0419FA72FB3320844F1D0D710480245AC9925
                                                                                                                                                                                                                                        SHA-512:06AFB0EE97D49B23B8DE5CCF940A95D8497FC0B19A169AACBE7924DD0A088DF65C3D1F4AE7D73A31A1FC7B5A1569FEDEAD1F1757C10C281A1DD61564B9CC39FA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:GIF89a . ..........................444..............TTT...!..NETSCAPE2.0.....!.......,.... . ......I)K...JJ5....U.RK....(..&...05+/.mbp.z...1...;$.1C....I*..HCh`A.o..."3qT5.\.8a....B..d..wxG=Y..g...wHb..v.A=.0.V\.\.;........;...H.........0..t%.Hs..rY<H..........b..Z.b.OEg:...GY]..=.A.OQ.s....\b.h.9.=sg...c..e....*...f.7D..!.......,..........r..I..5.......bRH.h.W...*lkL&-).1-..v.m...).....M..t.\....Rd..A..H.... ......o...........................Gz{..!.......,..........r..Ig@5...rY.M.Q!(.(.(..8........J..Kb..r....3.h..K!..6..3u`.&.D.A..z.fL.Z*..^`n.F.....O..ssyJ}T....N.aqXshC..XJ...!.......,..........i....Y4.......Cv....A.M.A."....J..j..A'.0T....*.b..JI.I..ZF..P.MM...s.bg.qV$.......v.!...5....?}..........!.......,..........ep....80....#^.q..X....[..(\.-......S..@ P....0". ..L......z...xL..*Z....._..H......D..eU..ywZt.n..!.......,.....................A.2.W..E.&j....B.&..w~.6..b8....p`4r|.F..M.>......,bLv|?.4B.v.....P..u.9..+.&..2..x&...k..&...U]..vo...o..p..raT&..!

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\electron.7z

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:7-zip archive data, version 0.4
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):65191698
                                                                                                                                                                                                                                        Entropy (8bit):7.999995303724521
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:1572864:1/WrzMfs5kLrol4Ca5aGYw7zGszhDrywTWXC8PEW3wv:1/SzMckL8loflDuwTSEW0
                                                                                                                                                                                                                                        MD5:F2024F4CD75F6C6880520286F2121A60
                                                                                                                                                                                                                                        SHA1:996E4D115ACC038B555E164985734B085B3591E6
                                                                                                                                                                                                                                        SHA-256:983A7586C3A54C9206FDDA9643E9E500CDF24242A815E07B42847122FA8C6550
                                                                                                                                                                                                                                        SHA-512:E06070294E50DE530364F1E8DEC7096EE9C9D90C6E67CBA9968E14E7126B7E7344A238C041415B858B0A7702F5F8FB2A7071501B8024B20DE4629EF3CF9F1046
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:7z..'.....V........%.........>......]...6...E.../.-u.......xO.8..1..-.8..5..u+m..Q7.u.iO!.t}.Ew....V......6.....(.B$o..G.O.)Q.Gk.....V.P.?....6.~....G<.P...}w..A.H^.?..9rS%|..s2...3.$..Pk......8..^.|.."O.....{2.`RBPE.y8F2...W!.....6......./..q....sa....0..J.o.q..B.J.V..Pi/.p.y,.....#..5Y..R.m#b\Wx[.....E..M...!]v.d.11......:.....b....tK..I`B....z....;.......D{..4S.b..(..o....j.L-,...s.&.....E.).v`.p.%..L...e...:.....lZ..Vd...b........X.F.2W......x..b........&f..p...3QXv.....7.r&q.I.,...........#..m.q..V.=.c_w.W.7;............R..Y5WD.r%..o....O6..#..?...Hw.-LE..[m...PT..L.F[.e..i.?.(S"..(..k.....-........C.~..(..n_.{..M..0..L..L`V'.(....."..jB.z...w'P.V`w..k...T...S..vP.W:....b.........X.q...b.2C|/.j.R....A....0p..v... .`m.B.......aQ...|.` .h.N.5 ...R.|.......'.Aw8.]..V..d.%.....di7.7....R~0...iC.3....j...Em&...)....F.k.^.f....[E..-wi...s:_.L..?.A.Ynl...9c.C%......$~.h..I.......X!.W...g[...&..y...zV.X#s......Scu'S.y.H..

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):26879352
                                                                                                                                                                                                                                        Entropy (8bit):7.999861579662335
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:786432:DI+3wTja6N6HTNdn9kOjBt7Si3pW/tjo1AovM52jBE:lDBHTNB9HjBtS9jJoe
                                                                                                                                                                                                                                        MD5:6257440E341224790F7E2D8286B149CE
                                                                                                                                                                                                                                        SHA1:873261D5602F31FCB219C925EFCB2B382E1DB1F1
                                                                                                                                                                                                                                        SHA-256:BD1005A0E8C2EB5C13CC9FC26835E012514C059A8B67CD1E4E782ED7566096A3
                                                                                                                                                                                                                                        SHA-512:9F12488E28D82E24E67FF5FD99BDB60C4CB06C111065FA0A8E63952CF952C1F99CFC060F04BF47C55CB8B3A0801394D7B64B57D25C4242FEB23CF2D0CBE2D49E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L...5.oZ.................f...........4............@..........................0.......J....@.............................................,................'...........................................................................................text....d.......f.................. ..`.rdata...............j..............@..@.data...X............~..............@....ndata...................................rsrc...,...........................@..@................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\RAV_Cross.png (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp
                                                                                                                                                                                                                                        File Type:PNG image data, 700 x 360, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):75974
                                                                                                                                                                                                                                        Entropy (8bit):7.973739579566582
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:cyfQCzB7fBVwtW5EGtWO7Cemktbbv36SEOW9izF:cyfJ/2WXz7Fbbf61OW9aF
                                                                                                                                                                                                                                        MD5:CD09F361286D1AD2622BA8A57B7613BD
                                                                                                                                                                                                                                        SHA1:4CD3E5D4063B3517A950B9D030841F51F3C5F1B1
                                                                                                                                                                                                                                        SHA-256:B92A31D4853D1B2C4E5B9D9624F40B439856D0C6A517E100978CBDE8D3C47DC8
                                                                                                                                                                                                                                        SHA-512:F73D60C92644E0478107E0402D1C7B4DFA1674F69B41856F74F937A7B57CEAA2B3BE9242F2B59F1FCF71063AAC6CBE16C594618D1A8CDD181510DE3240F31DFF
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.PNG........IHDR.......h.......(.....pHYs.................sRGB.........gAMA......a...([IDATx.....U./.?...0'.H.%.A$.N....t.+. .1....].8..8...q...D.OQ.t>G...}Z.x.t.(.....#..........vF0'<;!..;.k..].T....t...._U...k.........................................................................................................................................................................[.````````p.c..v*..jii.,.Z.+...B.tySSSc......3.&..........G$J.....:X2v3....mkk.P... ..K.n.X,R.......n.............j.g..].v..>...P}..Mo.z........Am`c.4.h.`..E.F.f..-........G..6............$..=p......Floh.................Fc..mP..R.........50000008".7.)S2.6=..c+P....K.].]=. ..]..{.........$L...IM+. ...!.?.q.g....4..............SZ".Xe..G.-]#..7.!.)]t|VW..-]...}.KW.t..8.."...-.."..`...u.0...uI...q(.N.?.0.J.p..m$/S.H..D.cJx. hU.]q.j...t...T.m......A...Y....r.........0.f....UD.J.V.g0.y/|C.4l!..jix.{V...o.. ..V...9K..7:..D...u....e.|.-.J.Z../. . .. !.:.,...u...50000008R`...W.c.2.(..

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\WebAdvisor.png (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp
                                                                                                                                                                                                                                        File Type:PNG image data, 700 x 360, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):48743
                                                                                                                                                                                                                                        Entropy (8bit):7.952703392311964
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:RtwR1Dy4rQznr1GYfvLn6froelhVNSyCPtSOeVlTTqYueg:zwR1DybhPwhvSyClSOk/geg
                                                                                                                                                                                                                                        MD5:4CFFF8DC30D353CD3D215FD3A5DBAC24
                                                                                                                                                                                                                                        SHA1:0F4F73F0DDDC75F3506E026EF53C45C6FAFBC87E
                                                                                                                                                                                                                                        SHA-256:0C430E56D69435D8AB31CBB5916A73A47D11EF65B37D289EE7D11130ADF25856
                                                                                                                                                                                                                                        SHA-512:9D616F19C2496BE6E89B855C41BEFC0235E3CE949D2B2AE7719C823F10BE7FE0809BDDFD93E28735B36271083DD802AE349B3AB7B60179B269D4A18C6CEF4139
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.PNG........IHDR.......h.......(.....pHYs.................sRGB.........gAMA......a.....IDATx...eIu....(..Y31.}q....`...t....Z..8t;x3._@.3.0.{.E.".&.5.g.C..@..%.>r.5....B...O...^.*..s....{.7..{....r..+W...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(.n+.t.B.p.x.....^.?/....p,..7...{.P(...B.H...r.y..|.....{l\tO.|..<..P(....w......o..P(.<h...n[\tO..?......E...}...F.P83....<z.....W..7...w.....?..?.YW(.N.......?N[..E..A..z..[...'.$..'....8...?~.K.|........[#.....6........;.......s.=...}.c...{.._..z....;w..........(../..n...?..??..?.........z.......~....[o.<.......x.).Z.(..s.N..Wb.....f....../.P8.|.......?..#......2vO....F......@.|..w7].|..$..}?.L.Go...A.1..^...j...$.6....~..x...{..IwD`|..?.....?...{..~~........).........`$.......tG....|.n.2..........[..._....e.}.=..<........h.7|?Kg....+

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\_isetup\_setup64.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp
                                                                                                                                                                                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):6144
                                                                                                                                                                                                                                        Entropy (8bit):4.720366600008286
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                                                                                                                                                                                                        MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                                                                                                                                                                                                        SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                                                                                                                                                                                                        SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                                                                                                                                                                                                        SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\error.png

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp
                                                                                                                                                                                                                                        File Type:PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):7408
                                                                                                                                                                                                                                        Entropy (8bit):7.954397008598553
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:zxngYPPoGqxvZOay4og9SO5ChxqzUQrB/Przj4h8mY:zyVrvgarZ15mNQBLM0
                                                                                                                                                                                                                                        MD5:C295B6DAC846E9FD92FB1CDCC82D207A
                                                                                                                                                                                                                                        SHA1:ACD046991685638BBA09FA38072EEF81D8C08A3A
                                                                                                                                                                                                                                        SHA-256:4C894CF4266A0E9B570C9D7F23DC327347F0955DDA09B515109CFEDB76BAEB2D
                                                                                                                                                                                                                                        SHA-512:027027519392967DB8CA1D11BC4102E9BF0B91BA1A4FD2645CA74EDB8F302D23855E242E8D378393D0FB5C84468B7A47105F0C53517CFA77EED293EC1AD053E5
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.PNG........IHDR...@...@......iq.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....%u}....sgfgo.e.X.DA..%G...'A-..%^e%...D+Z.)b%..b....(H...,.......X...cgv.7..;...u....2....u...........4...<..q...{.fox..H..k.7/..+.Y.......L..$R.....z.`Xo<..;........C~...ly"h......@..g'....`.....{..W..Z..h........2..2K$..j..r....\2.4J...^!......Z.]...z..F.^]v....... ..+=.VN...&o....R.wz..1...!|z..2....o>......W.uu.1..............<f..av..b^....Fpg5.......L...w4"6.3=/.r..@.z6...y.C..%....!w`^w..'...g.o..N3k.f=.....wY.._[..~.f.1...Q7..l..k..S7.j6.y..s....@..O.... ..pbf..^:.e...f=K-..-..7o..h..`h....#.n...C..e.L.h....jA...?<./={z...>.....Jo..........F.,.q.N.....-.F.....[...X...`h...~.Y6..{..^..#'..?+kxV....ri03yY27y..Lz.".Uk..t..o~...O.F..H.:9f....?....YK&|..2;j..#.W3..q`..<3z...?.wk..~.?..=.R4\...K..FK....?..H (........i.?..d..m.z.................8...........[......3.Q.......E.Q....5...o~J. <b.#9..Rn|.........OI.._..J.o%...mI.y.....Z.W.....E$.Pz#

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\finish.png

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp
                                                                                                                                                                                                                                        File Type:PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):7409
                                                                                                                                                                                                                                        Entropy (8bit):7.956467279797268
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:XpsLi4I9bj53p6SiwM9/2tkBUv7HN5fWhofH8:XmLa5ZpM9/2+uvrhH8
                                                                                                                                                                                                                                        MD5:EB344B174577F6544F5509130BB7E869
                                                                                                                                                                                                                                        SHA1:F7B7582D332FAB1A611A96EE9ADFC898C6D6A3B8
                                                                                                                                                                                                                                        SHA-256:EB799F8F8C9D15D173FCDB5481E68F456E1A5D7F7C1468D99658491DD761A753
                                                                                                                                                                                                                                        SHA-512:CC8D6622CB2E970D684242A78C067EFF766527DB0D0FCDAF2F3BFB6EDD881C1447151E102637F786424A4A1CBED9270D265139F2E59FC266B54A78CAB28837FE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.PNG........IHDR...@...@......iq.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....eeu..o.u.{zz6.a..a.E%X.,A............7..h..h.+q.......P."*CdD..g`..a.^.{z...........M.l.._....?.w.....f?~...>.Y.5.t.....y.%./....K..J.%V.vzA=i!.<+...t.%'.V>...O..Ag...n....E............y....3X.w..h..~.p.%.uV..^. k..)....D.1.Z6+...s...f.F.....Z.e.]...?.'...Wk.%..x..x...}.Z...a.....T.^.r..#@..^....?...g..j.Y.2..N..S)..LZ89f..~...n..].p.f.. .\. ...U..7a=w.f.f.......y.0......k.....7:.W^2..y.r..uv....,q.E.v.Yk{4..6 0~..........`z.....5..N....%7qk.j3...?g.xN....._......S#.....K...7.Zl.W\d.?..%+......V......6...w..3Y..n..:?U.._...a|....`...L{........V:.ki3...R......h^O_4.....U...Un.....=.e..U...^.2t.....g.@..k..S..$...%....h..%.j...4....?.)<V.G....[...`6k.o3Af{..|..J..+.L..gF....g.v.....v..[..k.{2a.....eoq...E.A.t./...OZ..m$.O,.n)u|.+.n.d.Ht......5'am.HL....n^)o^w.%.~.y/>'..G.P..Y....a+|..V......#.04g.*..7.7.._.....)).....b.[.B..[.m^1o..U.|.....h...u

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\is-E8JCH.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):45608
                                                                                                                                                                                                                                        Entropy (8bit):6.108387145397367
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:9x+kL+W392KwbG3S8gUtYcFA/Vc6KJcQqCPtspPxWEJ+Z+cQqCPtJGPxWEJN:9x7SGwbGC8gI8VclTqUtoPxmAqUtJGPx
                                                                                                                                                                                                                                        MD5:732EBDF213C6DB82F652B52D7C36CCD6
                                                                                                                                                                                                                                        SHA1:387C101533B2B04E955113B899DFE27D4E387AAD
                                                                                                                                                                                                                                        SHA-256:0518188A1EFE9C38CED45298147420FB398DEED797B5543814B3784124CA6842
                                                                                                                                                                                                                                        SHA-512:E6388704C5DBE2321F985E7A5F7BD47D860FF9C11C3FADED1A918A5D0C9AF4F18A05EDDFB87E72D9E87B7FECA19E58173E28C5D13F35D257B436C3A493EC2417
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...].$..........."...0..............3... ...@....@.. ..............................cX....`..................................2..O....@...............,..(....`.......2..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......*..............@..B.................2......H........$.. ............................................................0..N........r...p~....o.......o....,,.o....o.....1...o.....o....r...p.(....o....*..o....*...0..3........o....(.......o....,...o....*...o......o....o.....*..0..........r...ps.....r...ps.....r...ps.....(....(....rk..p(....(.....(....(....rk..p(....(......(....(....rk..p(....(.................-..f...s............8...............%..:..o..........o.........i.0.~....+.........ru..p(....-H..r}..p(....-M..r...p(

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\is-JKQNK.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):527389
                                                                                                                                                                                                                                        Entropy (8bit):7.995975187354872
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:12288:ib5kasT/hWZEu58IbccPqwozk/2rYJb69+J2W:M5kzT/hWZjfbccPOzk/aIb3J2W
                                                                                                                                                                                                                                        MD5:F68008B70822BD28C82D13A289DEB418
                                                                                                                                                                                                                                        SHA1:06ABBE109BA6DFD4153D76CD65BFFFAE129C41D8
                                                                                                                                                                                                                                        SHA-256:CC6F4FAF4E8A9F4D2269D1D69A69EA326F789620FB98078CC98597F3CB998589
                                                                                                                                                                                                                                        SHA-512:FA482942E32E14011AE3C6762C638CCB0A0E8EC0055D2327C3ACC381DDDF1400DE79E4E9321A39A418800D072E59C36B94B13B7EB62751D3AEC990FB38CE9253
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK.........\zX...............saBSI.exe.Z.pT.u.+i..eW c....&....l.....Y[...-@`....e.....;r.T...MJ3.a.]..h:.VF?.u...T...+..()..;...v..[v...........]....s......[..!.....A!?N..?%&!.....1...}AS...U)._t4.;z........9r....A..G...86l}.....EVk.J......t.[E....w...x..+Wx...gg.Qz>...f...8.q^.?..)~..o..B.!z...)....m.{7..F...w....O.+.l*z..].......I.......v..=....S.i.=.r..J.....!.xI2D...!.5..S..r...Rz..@`......Ol....]4..(......]..K..%.I,.8?]"..Y..k|...%.W.#.p....5.li....r.A.5-......X....B.e.J.s.9...s."..S.NE.Fq...D\...0!....v..../..{....sL(6l.E8g...G...!V......^..|.Dp.k....W-B9.."B-.-...h.(..4.9>..&.3.2<.V.x.|T...Ke}.b.G.&1...!..>..P(..2~....~...S....B.d.$......,...O..B9.`.....X}B......B9.`a.8..0....l..B......|..0.b....N...0....%.^.`..0....{...MY.....4..H.'......Il....(..&.e.:&.X=$...+..P..na...C.~]...n...2..n..a0.U...>.0..2.....`..4...<.0.e..a._f0...[.....2..i._c0..i.^....(.).G.|.....$....^.YR..R...<.`..*...l'@..2...V[..0..B*.s......2x...........`'.(.Y...\.`..$

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\is-JOE6V.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):26879352
                                                                                                                                                                                                                                        Entropy (8bit):7.999861579662335
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:786432:DI+3wTja6N6HTNdn9kOjBt7Si3pW/tjo1AovM52jBE:lDBHTNB9HjBtS9jJoe
                                                                                                                                                                                                                                        MD5:6257440E341224790F7E2D8286B149CE
                                                                                                                                                                                                                                        SHA1:873261D5602F31FCB219C925EFCB2B382E1DB1F1
                                                                                                                                                                                                                                        SHA-256:BD1005A0E8C2EB5C13CC9FC26835E012514C059A8B67CD1E4E782ED7566096A3
                                                                                                                                                                                                                                        SHA-512:9F12488E28D82E24E67FF5FD99BDB60C4CB06C111065FA0A8E63952CF952C1F99CFC060F04BF47C55CB8B3A0801394D7B64B57D25C4242FEB23CF2D0CBE2D49E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L...5.oZ.................f...........4............@..........................0.......J....@.............................................,................'...........................................................................................text....d.......f.................. ..`.rdata...............j..............@..@.data...X............~..............@....ndata...................................rsrc...,...........................@..@................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\is-R0MM3.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp
                                                                                                                                                                                                                                        File Type:PNG image data, 700 x 360, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):75974
                                                                                                                                                                                                                                        Entropy (8bit):7.973739579566582
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:cyfQCzB7fBVwtW5EGtWO7Cemktbbv36SEOW9izF:cyfJ/2WXz7Fbbf61OW9aF
                                                                                                                                                                                                                                        MD5:CD09F361286D1AD2622BA8A57B7613BD
                                                                                                                                                                                                                                        SHA1:4CD3E5D4063B3517A950B9D030841F51F3C5F1B1
                                                                                                                                                                                                                                        SHA-256:B92A31D4853D1B2C4E5B9D9624F40B439856D0C6A517E100978CBDE8D3C47DC8
                                                                                                                                                                                                                                        SHA-512:F73D60C92644E0478107E0402D1C7B4DFA1674F69B41856F74F937A7B57CEAA2B3BE9242F2B59F1FCF71063AAC6CBE16C594618D1A8CDD181510DE3240F31DFF
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.PNG........IHDR.......h.......(.....pHYs.................sRGB.........gAMA......a...([IDATx.....U./.?...0'.H.%.A$.N....t.+. .1....].8..8...q...D.OQ.t>G...}Z.x.t.(.....#..........vF0'<;!..;.k..].T....t...._U...k.........................................................................................................................................................................[.````````p.c..v*..jii.,.Z.+...B.tySSSc......3.&..........G$J.....:X2v3....mkk.P... ..K.n.X,R.......n.............j.g..].v..>...P}..Mo.z........Am`c.4.h.`..E.F.f..-........G..6............$..=p......Floh.................Fc..mP..R.........50000008".7.)S2.6=..c+P....K.].]=. ..]..{.........$L...IM+. ...!.?.q.g....4..............SZ".Xe..G.-]#..7.!.)]t|VW..-]...}.KW.t..8.."...-.."..`...u.0...uI...q(.N.?.0.J.p..m$/S.H..D.cJx. hU.]q.j...t...T.m......A...Y....r.........0.f....UD.J.V.g0.y/|C.4l!..jix.{V...o.. ..V...9K..7:..D...u....e.|.-.J.Z../. . .. !.:.,...u...50000008R`...W.c.2.(..

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\is-U9IGN.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp
                                                                                                                                                                                                                                        File Type:PNG image data, 700 x 360, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):48743
                                                                                                                                                                                                                                        Entropy (8bit):7.952703392311964
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:RtwR1Dy4rQznr1GYfvLn6froelhVNSyCPtSOeVlTTqYueg:zwR1DybhPwhvSyClSOk/geg
                                                                                                                                                                                                                                        MD5:4CFFF8DC30D353CD3D215FD3A5DBAC24
                                                                                                                                                                                                                                        SHA1:0F4F73F0DDDC75F3506E026EF53C45C6FAFBC87E
                                                                                                                                                                                                                                        SHA-256:0C430E56D69435D8AB31CBB5916A73A47D11EF65B37D289EE7D11130ADF25856
                                                                                                                                                                                                                                        SHA-512:9D616F19C2496BE6E89B855C41BEFC0235E3CE949D2B2AE7719C823F10BE7FE0809BDDFD93E28735B36271083DD802AE349B3AB7B60179B269D4A18C6CEF4139
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.PNG........IHDR.......h.......(.....pHYs.................sRGB.........gAMA......a.....IDATx...eIu....(..Y31.}q....`...t....Z..8t;x3._@.3.0.{.E.".&.5.g.C..@..%.>r.5....B...O...^.*..s....{.7..{....r..+W...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(.n+.t.B.p.x.....^.?/....p,..7...{.P(...B.H...r.y..|.....{l\tO.|..<..P(....w......o..P(.<h...n[\tO..?......E...}...F.P83....<z.....W..7...w.....?..?.YW(.N.......?N[..E..A..z..[...'.$..'....8...?~.K.|........[#.....6........;.......s.=...}.c...{.._..z....;w..........(../..n...?..??..?.........z.......~....[o.<.......x.).Z.(..s.N..Wb.....f....../.P8.|.......?..#......2vO....F......@.|..w7].|..$..}?.L.Go...A.1..^...j...$.6....~..x...{..IwD`|..?.....?...{..~~........).........`$.......tG....|.n.2..........[..._....e.}.=..<........h.7|?Kg....+

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\logo.png

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp
                                                                                                                                                                                                                                        File Type:PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):7402
                                                                                                                                                                                                                                        Entropy (8bit):7.956485429194433
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:YQvUdCD01bkHgD5ujpbwGDTtjRl2N0kMTl61yH7rsZRJ8:BvUdq01QHPx9N+0kMTl6+rsbJ8
                                                                                                                                                                                                                                        MD5:3CBA3155B8F16EE2EC14F208363F7F72
                                                                                                                                                                                                                                        SHA1:F61AD3F128CF537869124898346BFC544B57AFC8
                                                                                                                                                                                                                                        SHA-256:78A15F0F41DCADE540606FA92743CB597260433079800421AC31C095A51E0806
                                                                                                                                                                                                                                        SHA-512:18938A8ED56FE332FB61790A89B36D137F811CD995E315727EB8ED64CCCA9C703E36012A9F888C9E9BB52A9DFE1195B900BE58E49213D4A2804D5B4D4ECCC084
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.PNG........IHDR...@...@......iq.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....&ey...sgfgo.e.....`Qr...@..Z.#.K..J@!..&Z........h..Q..* ..V.]..X..cgv.......=.. .y.w..~...?..x.G..._..}.{.n.....z};N.D.M^.r.y..^1..j.v/.%-d.g. .....UK..j.. .)h.......Z8o..A}.7..P.r.?=.vv........y._.i...U*....."....,..O...y.....Y.QB.y..Z}&h.ww.s.....k.jy..{.00^7.3_...*.dX...vo.k/...W-.......0o.....k...._..{.Y[;}.)...,....o../l.`.s.p.N.;@....AP..,..n.z..tL..oK-b.5...`...OY[.j.r.Jo....d...<...k.0..7[...?.$...h.+!l@`<..U...-OX01.Qx....;'Z.^...5W.....^.E.&...............6K...7.o...m.?...K......V...V^...zw;...V.7.y._.....?=./.zz...\....6..........Z.,.q.N...u-.F..T.....?..-xA.......0.o.Zx.W)...=....U.............d....\.....#.>:...#.......z+...LOZ2..T..R...~..y..=ch..+. ...]...k.......*.LX.,q.......@P.+>x....E.>..d....x..-.......^........{.......s.uv[...w..?..../..(..X..+.......G....(.k7.>..__....%)..+VZ!..d~.\..i^!g.....U.=>.5.d.Jod..

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0 (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):45608
                                                                                                                                                                                                                                        Entropy (8bit):6.108387145397367
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:9x+kL+W392KwbG3S8gUtYcFA/Vc6KJcQqCPtspPxWEJ+Z+cQqCPtJGPxWEJN:9x7SGwbGC8gI8VclTqUtoPxmAqUtJGPx
                                                                                                                                                                                                                                        MD5:732EBDF213C6DB82F652B52D7C36CCD6
                                                                                                                                                                                                                                        SHA1:387C101533B2B04E955113B899DFE27D4E387AAD
                                                                                                                                                                                                                                        SHA-256:0518188A1EFE9C38CED45298147420FB398DEED797B5543814B3784124CA6842
                                                                                                                                                                                                                                        SHA-512:E6388704C5DBE2321F985E7A5F7BD47D860FF9C11C3FADED1A918A5D0C9AF4F18A05EDDFB87E72D9E87B7FECA19E58173E28C5D13F35D257B436C3A493EC2417
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...].$..........."...0..............3... ...@....@.. ..............................cX....`..................................2..O....@...............,..(....`.......2..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......*..............@..B.................2......H........$.. ............................................................0..N........r...p~....o.......o....,,.o....o.....1...o.....o....r...p.(....o....*..o....*...0..3........o....(.......o....,...o....*...o......o....o.....*..0..........r...ps.....r...ps.....r...ps.....(....(....rk..p(....(.....(....(....rk..p(....(......(....(....rk..p(....(.................-..f...s............8...............%..:..o..........o.........i.0.~....+.........ru..p(....-H..r}..p(....-M..r...p(

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exe (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):45608
                                                                                                                                                                                                                                        Entropy (8bit):6.108387145397367
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:9x+kL+W392KwbG3S8gUtYcFA/Vc6KJcQqCPtspPxWEJ+Z+cQqCPtJGPxWEJN:9x7SGwbGC8gI8VclTqUtoPxmAqUtJGPx
                                                                                                                                                                                                                                        MD5:732EBDF213C6DB82F652B52D7C36CCD6
                                                                                                                                                                                                                                        SHA1:387C101533B2B04E955113B899DFE27D4E387AAD
                                                                                                                                                                                                                                        SHA-256:0518188A1EFE9C38CED45298147420FB398DEED797B5543814B3784124CA6842
                                                                                                                                                                                                                                        SHA-512:E6388704C5DBE2321F985E7A5F7BD47D860FF9C11C3FADED1A918A5D0C9AF4F18A05EDDFB87E72D9E87B7FECA19E58173E28C5D13F35D257B436C3A493EC2417
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...].$..........."...0..............3... ...@....@.. ..............................cX....`..................................2..O....@...............,..(....`.......2..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......*..............@..B.................2......H........$.. ............................................................0..N........r...p~....o.......o....,,.o....o.....1...o.....o....r...p.(....o....*..o....*...0..3........o....(.......o....,...o....*...o......o....o.....*..0..........r...ps.....r...ps.....r...ps.....(....(....rk..p(....(.....(....(....rk..p(....(......(....(....rk..p(....(.................-..f...s............8...............%..:..o..........o.........i.0.~....+.........ru..p(....-H..r}..p(....-M..r...p(

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1 (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):527389
                                                                                                                                                                                                                                        Entropy (8bit):7.995975187354872
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:12288:ib5kasT/hWZEu58IbccPqwozk/2rYJb69+J2W:M5kzT/hWZjfbccPOzk/aIb3J2W
                                                                                                                                                                                                                                        MD5:F68008B70822BD28C82D13A289DEB418
                                                                                                                                                                                                                                        SHA1:06ABBE109BA6DFD4153D76CD65BFFFAE129C41D8
                                                                                                                                                                                                                                        SHA-256:CC6F4FAF4E8A9F4D2269D1D69A69EA326F789620FB98078CC98597F3CB998589
                                                                                                                                                                                                                                        SHA-512:FA482942E32E14011AE3C6762C638CCB0A0E8EC0055D2327C3ACC381DDDF1400DE79E4E9321A39A418800D072E59C36B94B13B7EB62751D3AEC990FB38CE9253
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK.........\zX...............saBSI.exe.Z.pT.u.+i..eW c....&....l.....Y[...-@`....e.....;r.T...MJ3.a.]..h:.VF?.u...T...+..()..;...v..[v...........]....s......[..!.....A!?N..?%&!.....1...}AS...U)._t4.;z........9r....A..G...86l}.....EVk.J......t.[E....w...x..+Wx...gg.Qz>...f...8.q^.?..)~..o..B.!z...)....m.{7..F...w....O.+.l*z..].......I.......v..=....S.i.=.r..J.....!.xI2D...!.5..S..r...Rz..@`......Ol....]4..(......]..K..%.I,.8?]"..Y..k|...%.W.#.p....5.li....r.A.5-......X....B.e.J.s.9...s."..S.NE.Fq...D\...0!....v..../..{....sL(6l.E8g...G...!V......^..|.Dp.k....W-B9.."B-.-...h.(..4.9>..&.3.2<.V.x.|T...Ke}.b.G.&1...!..>..P(..2~....~...S....B.d.$......,...O..B9.`.....X}B......B9.`a.8..0....l..B......|..0.b....N...0....%.^.`..0....{...MY.....4..H.'......Il....(..&.e.:&.X=$...+..P..na...C.~]...n...2..n..a0.U...>.0..2.....`..4...<.0.e..a._f0...[.....2..i._c0..i.^....(.).G.|.....$....^.YR..R...<.`..*...l'@..2...V[..0..B*.s......2x...........`'.(.Y...\.`..$

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1.zip (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):527389
                                                                                                                                                                                                                                        Entropy (8bit):7.995975187354872
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:12288:ib5kasT/hWZEu58IbccPqwozk/2rYJb69+J2W:M5kzT/hWZjfbccPOzk/aIb3J2W
                                                                                                                                                                                                                                        MD5:F68008B70822BD28C82D13A289DEB418
                                                                                                                                                                                                                                        SHA1:06ABBE109BA6DFD4153D76CD65BFFFAE129C41D8
                                                                                                                                                                                                                                        SHA-256:CC6F4FAF4E8A9F4D2269D1D69A69EA326F789620FB98078CC98597F3CB998589
                                                                                                                                                                                                                                        SHA-512:FA482942E32E14011AE3C6762C638CCB0A0E8EC0055D2327C3ACC381DDDF1400DE79E4E9321A39A418800D072E59C36B94B13B7EB62751D3AEC990FB38CE9253
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK.........\zX...............saBSI.exe.Z.pT.u.+i..eW c....&....l.....Y[...-@`....e.....;r.T...MJ3.a.]..h:.VF?.u...T...+..()..;...v..[v...........]....s......[..!.....A!?N..?%&!.....1...}AS...U)._t4.;z........9r....A..G...86l}.....EVk.J......t.[E....w...x..+Wx...gg.Qz>...f...8.q^.?..)~..o..B.!z...)....m.{7..F...w....O.+.l*z..].......I.......v..=....S.i.=.r..J.....!.xI2D...!.5..S..r...Rz..@`......Ol....]4..(......]..K..%.I,.8?]"..Y..k|...%.W.#.p....5.li....r.A.5-......X....B.e.J.s.9...s."..S.NE.Fq...D\...0!....v..../..{....sL(6l.E8g...G...!V......^..|.Dp.k....W-B9.."B-.-...h.(..4.9>..&.3.2<.V.x.|T...Ke}.b.G.&1...!..>..P(..2~....~...S....B.d.$......,...O..B9.`.....X}B......B9.`a.8..0....l..B......|..0.b....N...0....%.^.`..0....{...MY.....4..H.'......Il....(..&.e.:&.X=$...+..P..na...C.~]...n...2..n..a0.U...>.0..2.....`..4...<.0.e..a._f0...[.....2..i._c0..i.^....(.).G.|.....$....^.YR..R...<.`..*...l'@..2...V[..0..B*.s......2x...........`'.(.Y...\.`..$

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\installer.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):28855552
                                                                                                                                                                                                                                        Entropy (8bit):7.992448398456331
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:786432:++7GuADYqGk2LrsyN0QuY5PpAVN546uuz:++CuADCw1Y5BAVNi63z
                                                                                                                                                                                                                                        MD5:D2272F3869D5B634F656047968C25AE6
                                                                                                                                                                                                                                        SHA1:453C6FFA6EC3A0A25AE59A1B58A0D18B023EDB16
                                                                                                                                                                                                                                        SHA-256:D89A2423DA3704108861F190E1633D2100ECC30B4C40BD835CE54A6934887BC9
                                                                                                                                                                                                                                        SHA-512:41072EF6F382CF6D4D97EBC2A49A50A9BD41B53508A8586FD8D018E86AED135E8AC2CDD16BBF725E4F74F14ECFCF49789D3AF8924B6D5DFA6B94DC6BF79A0785
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........w...w...w.......w.......w.......w.......w.......w.......w..4....w.......w...w...w..l....w..l.o..w..l....w..Rich.w..........................PE..d....gbd..........".................D..........@..........................................`.....................................................(.......@...p..L2...^..................p.......................(.......8.......................`....................text............................... ..`.rdata..vz.......|..................@..@.data...t1...0......................@....pdata..L2...p...4...6..............@..@_RDATA...............j..............@..@.rsrc...@..........l..............@..@.reloc...............R..............@..B........................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1184128
                                                                                                                                                                                                                                        Entropy (8bit):6.623147525519113
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:WF66IUpqM/XAl0drYaL6NFEXXN6abiklqOYadJ0CbmpV4CsCa0wDisO4qG:k/M0drYaIaXXOAqOYadJ0Cbmrhq0wTb5
                                                                                                                                                                                                                                        MD5:143255618462A577DE27286A272584E1
                                                                                                                                                                                                                                        SHA1:EFC032A6822BC57BCD0C9662A6A062BE45F11ACB
                                                                                                                                                                                                                                        SHA-256:F5AA950381FBCEA7D730AA794974CA9E3310384A95D6CF4D015FBDBD9797B3E4
                                                                                                                                                                                                                                        SHA-512:C0A084D5C0B645E6A6479B234FA73C405F56310119DD7C8B061334544C47622FDD5139DB9781B339BB3D3E17AC59FDDB7D7860834ECFE8AAD6D2AE8C869E1CB9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......2..}vn..vn..vn..-../xn..-../.n..$../bn..$../on..G2r.tn..$../.n..-../on..-../wn..-../yn...../wn...../~n...../Zn..vn..=o...../{n...../hn....p.wn...../wn..Richvn..................PE..L...V..e.....................h...... .............@..................................1....@.............................................p...............................p...................@.......X...@...............0....... ....................text............................... ..`.rdata..............................@..@.data..............................@....didat...............T..............@....rsrc...p............V..............@..@.reloc...............Z..............@..B................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\zbShieldUtils.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2053632
                                                                                                                                                                                                                                        Entropy (8bit):6.618905623603141
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:9fYyS/h4IbleO/ZR/JlIjKuACMCxW4wuQ6/ybXFotEu:9O/mEsO/bJlIjpTMCxW4vQ6/yZE
                                                                                                                                                                                                                                        MD5:B83F5833E96C2EB13F14DCCA805D51A1
                                                                                                                                                                                                                                        SHA1:9976B0A6EF3DABEAB064B188D77D870DCDAF086D
                                                                                                                                                                                                                                        SHA-256:00E667B838A4125C8CF847936168BB77BB54580BC05669330CB32C0377C4A401
                                                                                                                                                                                                                                        SHA-512:8641B351E28B3C61ED6762ADBCA165F4A5F2EE26A023FD74DD2102A6258C0F22E91B78F4A3E9FBA6094B68096001DE21F10D6495F497580847103C428D30F7BB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............d...d...d...g...d...c...d...`...d...a.(.d...b...d...e...d...e...d..`...d..g...d..a..d.'.m...d.'.d...d.'.....d.......d.'.f...d.Rich..d.........PE..L.../8ce...........!.....J...P...............`............................................@..........................y.......z..T....`...A......................h.......p...................@.......x...@............`...............................text...PI.......J.................. ..`.rdata...N...`...P...N..............@..@.data............Z..................@....rsrc....A...`...B..................@..@.reloc..h............:..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3207680
                                                                                                                                                                                                                                        Entropy (8bit):6.365759129122089
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:6dx4HDQNJL0VR6SgMt+k4RiP+RmXMjiINiMq95FoHVHNTQTEjB3331VW:LHDYsqiPRhINnq95FoHVBB3331s
                                                                                                                                                                                                                                        MD5:3B531BFA13D2F16B94E463747A9B0022
                                                                                                                                                                                                                                        SHA1:39A7B5E5F042CA66925A6314A8C25166C58E41CB
                                                                                                                                                                                                                                        SHA-256:35498B9D4A66DA46D2A00B7269933E080B5775EF8F00BE2189E89FFB23EE60F8
                                                                                                                                                                                                                                        SHA-512:EB480662BA5FA91C9F32CA2E278D40AD791B32EDC28F2080C102CF89C6D4CDA1B13C4040627E7FFF4CCBD80F5B55662FC0A079201B4264CE2165475DDD27897E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...oGXb.................B,.........`V,......`,...@...........................1...........@......@....................-.......-..9............................................................-.......................-.......-......................text.....,.......,................. ..`.itext...(...0,..*....,............. ..`.data........`,......F,.............@....bss.....y....-..........................idata...9....-..:....,.............@....didata.......-.......-.............@....edata........-.......-.............@..@.tls....L.....-..........................rdata..].....-...... -.............@..@.rsrc................"-.............@..@..............1.......0.............@..@........................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\mrybn0ui.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1968176
                                                                                                                                                                                                                                        Entropy (8bit):7.8092639751415245
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:ndlczrfrH0aJTylWcs5IP63tFOzfitt2Yiu0:ndlcvTWlZ6IP63tifi7Lq
                                                                                                                                                                                                                                        MD5:7533BE3F2041A3C1676863FDB7822C66
                                                                                                                                                                                                                                        SHA1:F0020E1D0ABABD096BFEFCBFACB150889328A28A
                                                                                                                                                                                                                                        SHA-256:10E61ACA57FB74AC71238E8E0C9EEFB3942A646F7773BEA1B4348CAC922C9336
                                                                                                                                                                                                                                        SHA-512:33F903BB6B19A29BD09EF515977439EF6EF63EBC0640CECED61DD7D7FB35A5DEABCBA5F2F8B0A01015778E22F2AAF2050D3521B37326305E0055682B8C3E547C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L....Oa.................f...*.......4............@..................................#....@.......................................... .. ...........@....`...........................................................................................text....e.......f.................. ..`.rdata...............j..............@..@.data...8............~..............@....ndata...p...............................rsrc... .... ......................@..@................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\ArchiveUtilityx64.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\mrybn0ui.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):153976
                                                                                                                                                                                                                                        Entropy (8bit):6.331457760426863
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:DAZpz3eQkXBlJ6pM91zgrn4oul5ntwcfsOct7BjWSP8B:DAvzD6l0+1grn4otBWSUB
                                                                                                                                                                                                                                        MD5:3351152F6EE87E97682A0A7C459EF614
                                                                                                                                                                                                                                        SHA1:5312F9DA67FCFD573DC5E45F6A7CC35FA463AF89
                                                                                                                                                                                                                                        SHA-256:6E2673687BA029074657F0D1C4410691EE013EFF2223D0C7695DFE4F70C62F1C
                                                                                                                                                                                                                                        SHA-512:2B7ECB22746BF907AE4DA891E170226DA4F180ADE27E41A16E1EF9E11F39E5E35B9EAC3FCFFF520DBB8A8888A1DBD1CA2459AB58CE8DC44A424C5DE7B8132DE6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........1.]._.]._.]._...\.X._...Z..._...[.W._...Z.B._...[.S._...\.T._...^.^._.].^..._.7.[.M._...V._._..._.\._.....\._...].\._.Rich]._.................PE..d...:.-e.........." .....T..........0...............................................*.....`......................................... ...T...t...(............P.......$..x5......P.......p...............................8............p..`............................text...`R.......T.................. ..`.rdata..p....p.......X..............@..@.data...P<..........................@....pdata.......P......................@..@_RDATA.......p......................@..@.rsrc...............................@..@.reloc..P...........................@..B........................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\Microsoft.Win32.TaskScheduler.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\mrybn0ui.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):349856
                                                                                                                                                                                                                                        Entropy (8bit):6.2160026026399855
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:81sSJApTSnQU/x0ImhuDzHfs4zbYOjujDRfygDgKQINXLLHIaKlay8weCycJ5Dfk:81sSmRIt/xhtsOju1DH5NXnIKAc4NU
                                                                                                                                                                                                                                        MD5:A09DECC59B2C2F715563BB035EE4241E
                                                                                                                                                                                                                                        SHA1:C84F5E2E0F71FEEF437CF173AFEB13FE525A0FEA
                                                                                                                                                                                                                                        SHA-256:6B8F51508240AF3B07A8D0B2DC873CEDC3D5D9CB25E57EA1D55626742D1F9149
                                                                                                                                                                                                                                        SHA-512:1992C8E1F7E37A58BBF486F76D1320DA8E1757D6296C8A7631F35BA2E376DE215C65000612364C91508AA3DDF72841F6B823FA60A2B29415A07C74C2E830212B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..._O............" ..0..............-... ...@....... ..............................X.....`.................................0-..O....@...................>...`......(,..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................d-......H............V..........`...H....+........................................{....*..{....*V.(......}......}....*...0..A........u2.......4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. ..<. )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q5....5...-.&.+...5...o.....%..{.......%q6....6...-.&.+...6...o.....(....*..{....*..{....*..{....*r.(......}......}......}....*..0..Y........u7.......L.,G(.....{.....{....o....,/(.....{.....{....o....

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\mrybn0ui.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):552592
                                                                                                                                                                                                                                        Entropy (8bit):6.677913386734197
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:vZtZVgIQtZM1A0+Nwhq3drt0ZAPKYZzrOZW4mlKhl:vZf661A0ue8lCZAPHZzrOZW4mlol
                                                                                                                                                                                                                                        MD5:41A3C2A1777527A41DDD747072EE3EFD
                                                                                                                                                                                                                                        SHA1:44B70207D0883EC1848C3C65C57D8C14FD70E2C3
                                                                                                                                                                                                                                        SHA-256:8592BAE7B6806E5B30A80892004A7B79F645A16C0F1B85B4B8DF809BDB6CF365
                                                                                                                                                                                                                                        SHA-512:14DF28CC7769CF78B24AB331BD63DA896131A2F0FBB29B10199016AEF935D376493E937874EB94FAF52B06A98E1678A5CF2C2D0D442C31297A9C0996205ED869
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....r7..........."...0..l.............. ........@.. ...............................<....`.....................................O.......H............&...H...`..........8............................................ ............... ..H............text....j... ...l.................. ..`.rsrc...H............n..............@..@.reloc.......`.......$..............@..B........................H.......d<...a..........@................................................0................(....s....%r...po....s.........~....o....%{...........s....(....t....}....~....o....%{...........s....(....t....}....~....o....%{...........s....(....t5...}....~....o....%{ ..........s....(....t....} ...~....o....%{!..........s"...(....t....}!.......~....o#.....E............'...9...........o...........8....~....o$...s ....~....o$...s.....+h~....o$...s.....+V~....o$...s.....~....o%...~...

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\System.Data.SQLite.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\mrybn0ui.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):371672
                                                                                                                                                                                                                                        Entropy (8bit):6.117467840486005
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:7ruNWxFaLx73+nRo2GGmZ2CRGpAM3JUGuT5up6zOPLyU0SJFNFaFeFOFwcGF6cmb:GNWx6xz+nRo2GGWHQZMaLyJSJFNFaFeQ
                                                                                                                                                                                                                                        MD5:42E6E9081EDD7A49C4103292725B68E2
                                                                                                                                                                                                                                        SHA1:62F73C44EE1ABA1F7684B684108FE3B0332E6E66
                                                                                                                                                                                                                                        SHA-256:788450452B0459C83E13DA4DD32F6217BFB53A83BD5F04B539000B61D24FD049
                                                                                                                                                                                                                                        SHA-512:99EAB89BF6297FDA549C0B882C097CD4B59FD0595FF2D0C40D1767F66FA45172CA5B9693DBF650D7103353F1E1FB8E5259BBCDE3DFA286DEE098533A4A776E8B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.].........." ..0..b..........j.... ........... ....................................`.....................................O.......$............l...?...........~............................................... ............... ..H............text....a... ...b.................. ..`.rsrc...$............d..............@..@.reloc...............j..............@..B................L.......H...............................`~......................................:.(:.....}....*..{....*:.(:.....}....*..{....*...0...........~;...}.....r...p}........(......~;...(<...,r.....s....}.......}............{............%......(=....%...:....%...!....%...%.........%....%.........s....(....*z.{....,......(=...o>...s?...z*..0..'........{....-..(......o........(A.....}.....*..................0..T........{....,K.{....o@....+...(A......(B.....,..o;.....(C...-...........oD.....{..

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\System.ValueTuple.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\mrybn0ui.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):75576
                                                                                                                                                                                                                                        Entropy (8bit):6.015125829078427
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:f784YWau8lqubx6WxXLA+o2SLFyEdux136ytgHo0AuresehSAU9bP8F9x/:f7NV8v36tI0XCKAmbP8x
                                                                                                                                                                                                                                        MD5:29E6AE1A1AF7FC943752A097EC59C59C
                                                                                                                                                                                                                                        SHA1:6D5C910C0B9A3E0876E2E2BBBCE9B663F9EDC436
                                                                                                                                                                                                                                        SHA-256:CC9BF1FEEAB1D76221508D6CC98E8BDC1603D5C600C5ED09C108E31B8BD3A6A2
                                                                                                                                                                                                                                        SHA-512:CC6D55E5FD23C89D73ECBDDFA92C102F47F8FB93F2F6A41D2E79708E6A8D7C13C1961DCD07810DB3135D2F8DDCBF3535FB3EA3D1FC31C617CA9B10F6B867F9A5
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`............@.....................................O.... ..P...............81...@......x................................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H......................................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\cs-CZ\RavStub.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\mrybn0ui.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12288
                                                                                                                                                                                                                                        Entropy (8bit):4.881167538031942
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:lIY1pQ8vGO4xToxMi5eX2zUA8rYgLIgPrEyz23tMuuVWJkYUECd1Vl7Iru+M3YVO:l3pQ8vQToxMi5emzUA8rYgLIOrnz8uuI
                                                                                                                                                                                                                                        MD5:EE2E523BBFB65E138B64EAFD223DE12E
                                                                                                                                                                                                                                        SHA1:7F3FB82A3F6643963C0F4F2903F35389EE3AB775
                                                                                                                                                                                                                                        SHA-256:2B2BE36B51272B6F0117A40320AC48CD0E415AFE2EF4FBA3AF06A7EC166A949D
                                                                                                                                                                                                                                        SHA-512:2DAAA1BB06DDFAAC09328D06E239A9C518B7D3F462BA4C075D7DF71A23BBD7255C75C2A5B28B8238919FBF587C704E35580BB3533CE5730BC21A561AC8441490
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f.-e...........!.....&..........>E... ...`....... ....................................@..................................D..O....`............................................................................... ............... ..H............text...D%... ...&.................. ..`.rsrc........`.......(..............@..@.reloc..............................@..B................ E......H........A..P...........P ..J!..........................................F!.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....V.......PADPADP.%z............u.$+.l.....o*.G...4...*.!.L...0N....._).......85.[JF.13U.y.....(.w.N.....<..sxU./.h.L.......=:.lc...?Z....!.....V......rk.L...\.....T...=.i..)..].....D..b..`............)...s..%'..JA*......>.$.:.%

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\da-DK\RavStub.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\mrybn0ui.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12288
                                                                                                                                                                                                                                        Entropy (8bit):4.747406513994599
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:hIYRN3EsGGj3fvKEx8rUrb+M0lIVixNPqDGomU3WUeQoXjAUwMXrAfeMA7AWmBHl:hXN3EsVfvVx8rUrb+M0lIVixNqiomyJx
                                                                                                                                                                                                                                        MD5:F2317FEF5CDCE4A19E6E7216DAA0624C
                                                                                                                                                                                                                                        SHA1:BDB39EA1300B158FCD76204ADD8F9F1F7EA0F2E9
                                                                                                                                                                                                                                        SHA-256:DA0E42EDF577C58CB729C8925860AFEC61E95CC355B40EFD8FA61993766733AF
                                                                                                                                                                                                                                        SHA-512:B7A16F4BB5E20D2FB1FF76991BC3C917E65BAA60507676845E1BBFC68D800CC061AF97D325B67DC1A2AEEC02FDB289BB8BB716270A7C2044B3993B326556985D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f.-e...........!.....&...........E... ...`....... ....................................@..................................D..O....`............................................................................... ............... ..H............text...4%... ...&.................. ..`.rsrc........`.......(..............@..@.reloc..............................@..B.................E......H........A..P...........P ..<!..........................................8!.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....V.......PADPADP.%z............u.$+.l.....o*.G...4...*.!.L...0N....._).......85.[JF.13U.y.....(.w.N.....<..sxU./.h.L.......=:.lc...?Z....!.....V......rk.L...\.....T...=.i..)..].....D..b..`............)...s..%'..JA*......>.$.:.%

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\de-DE\RavStub.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\mrybn0ui.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12800
                                                                                                                                                                                                                                        Entropy (8bit):4.758980695953914
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:s5rayxOPAxMtzTxCmf6hC/s2TvOFk6AOPh3+yFdmyndZ3s8i:hPAKtnHOdvPhO2dmyndZ3s8i
                                                                                                                                                                                                                                        MD5:9804DD2DCCDEC91872FBAD3EDA445C64
                                                                                                                                                                                                                                        SHA1:5689B6214C5BF0205AB7CBF437E4E2ABEBDEEEEF
                                                                                                                                                                                                                                        SHA-256:4F45EF000DBEC7C4E8FC8AD12F32538515711B78F593F5BC650026C43B6F9A66
                                                                                                                                                                                                                                        SHA-512:74C30DF986733898481A1ABE11C492476A524ECD06BA3B6020333F2C7D1B9961563ABE92E2B1413AF9DBF5C05FDB17B1B16763FC0419D2F95C8717D1F3EAC6E1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f.-e...........!.....(...........F... ...`....... ....................................@..................................F..W....`............................................................................... ............... ..H............text....&... ...(.................. ..`.rsrc........`.......*..............@..@.reloc...............0..............@..B.................F......H.......4C..P...........P ..."...........................................".............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....V.......PADPADP.%z............u.$+.l.....o*.G...4...*.!.L...0N....._).......85.[JF.13U.y.....(.w.N.....<..sxU./.h.L.......=:.lc...?Z....!.....V......rk.L...\.....T...=.i..)..].....D..b..`............)...s..%'..JA*......>.$.:.%

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\de\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\mrybn0ui.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):9728
                                                                                                                                                                                                                                        Entropy (8bit):4.557060180794725
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:0MiWWNv/jzSENtqcadVl8PandjJUf7ZJSqSi/ufP/1S5rxg0XWr:0D1Nvb5adVl8P2djJMZJSGu3A5rxg0Xq
                                                                                                                                                                                                                                        MD5:F83D720B236576C7D1F9F55D3BB988F9
                                                                                                                                                                                                                                        SHA1:105A4993E92646B5DBB50518187ABE07CA473276
                                                                                                                                                                                                                                        SHA-256:6909A1C134D0285FBA2422A40EA0E65C1F0CA3C3EF2B94A1166015AF2A87780F
                                                                                                                                                                                                                                        SHA-512:FD8A464F2BC9D5B6C2EFA80348C3A9362F7473D4D632B2ADDAD8C272E8874E7E67C15B99B67E6515906B86D01D57CD42F9F0F1E9251C0AF93A9391CCC30E3202
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b...........!.................9... ...@....... ..............................-E....@..................................9..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......$..............@..B.................9......H........4............... ......P .......................................z..).........*SE.1r.2K58\p.`1....SJ..G.f0d.W.oQY....&1+E..z..:@.n@........S.XEp=C... T.q.l....S.Kg....%..l..._...0..'.+................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\el-GR\RavStub.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\mrybn0ui.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15360
                                                                                                                                                                                                                                        Entropy (8bit):4.985998121932066
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:+npUcW/WJsxvxwKW9iu6Wxtp701zA27r+PMvozTX3s8o:8Js5xEGzfOPMvMb3s8o
                                                                                                                                                                                                                                        MD5:85B95BE9A2FBAE4A187277A3FBB337AD
                                                                                                                                                                                                                                        SHA1:9508C5FB5554E3792813D1710D9D244072A87A7D
                                                                                                                                                                                                                                        SHA-256:DA24D2E2396EEF6FBB6E775A16EE87F1E4CA4AFEC25563AD43D4026F5A091E25
                                                                                                                                                                                                                                        SHA-512:A9380494FA34EC315CC46D7EB5D5EDB7A9F6F483BFD8D8935E915DDA98215236147E81FFD36464625B2EA4513A094DD51C512B5487FD8790E148F0D455C1348B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f.-e...........!.....2...........P... ...`....... ....................................@..................................P..S....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............:..............@..B.................P......H.......HM..P...........P ...,...........................................,.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....V.......PADPADP.%z............u.$+.l.....o*.G...4...*.!.L...0N....._).......85.[JF.13U.y.....(.w.N.....<..sxU./.h.L.......=:.lc...?Z....!.....V......rk.L...\.....T...=.i..)..].....D..b..`............)...s..%'..JA*......>.$.:.%

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\es-ES\RavStub.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\mrybn0ui.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12288
                                                                                                                                                                                                                                        Entropy (8bit):4.714734931607904
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:KIYVmGe/VGuDqni6wxCjfp3DocEs5dMvGPcDonP33TewxlhiYwEHU4dIyrokBD7l:KuGe/V0ni6wxCjfpzocEs5dMvkcDqPDz
                                                                                                                                                                                                                                        MD5:8E236AD6A968F834EC829B984B362304
                                                                                                                                                                                                                                        SHA1:719425A2CD4D6AE97A42034A095D1EBA25E6C2F2
                                                                                                                                                                                                                                        SHA-256:27EF93D50BFA2053AF7C6A765204EE3E22C2D18123FA07ED453F3C8A45949C5E
                                                                                                                                                                                                                                        SHA-512:FB54EF07D6C0C565685EE8C628219D6E7F0A4AB0BBD4AE1738ADDD1FD459F90BE1A015C9BEED5937266DEC6E0FFEB3E6A728BFB38030D3E96A84863F0EA1B0CB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f.-e...........!.....&...........E... ...`....... ....................................@..................................D..W....`............................................................................... ............... ..H............text....%... ...&.................. ..`.rsrc........`.......(..............@..@.reloc..............................@..B.................D......H.......dA..P...........P ...!...........................................!.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....V.......PADPADP.%z............u.$+.l.....o*.G...4...*.!.L...0N....._).......85.[JF.13U.y.....(.w.N.....<..sxU./.h.L.......=:.lc...?Z....!.....V......rk.L...\.....T...=.i..)..].....D..b..`............)...s..%'..JA*......>.$.:.%

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\es\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\mrybn0ui.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):10240
                                                                                                                                                                                                                                        Entropy (8bit):4.425694157692337
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:r0WWNv/jzSEStoC1vxx6hUltfxx+BE00cUnAP9115rxg0XWr:r01NvbGVxx6hUltfxgE00cLF5rxg0XWr
                                                                                                                                                                                                                                        MD5:15DB634B70D6D9D6CD41BAAE3F02EB14
                                                                                                                                                                                                                                        SHA1:1456FFE09DF896271A746F9CB40A230F188AD397
                                                                                                                                                                                                                                        SHA-256:E893C6907DA8D68C03B1A10E68B554AD5A8C0533F15912106F32E925F2BEABF0
                                                                                                                                                                                                                                        SHA-512:1230E5368D4DAB9776D57056993669327E95FE72E262EFA541ED5D43ABC1BCD3618DB13B6BD6B3A27DA053C103E3FB647EAE759CCAEB443F7D9FFD1ECAA1122B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b...........!................n:... ...@....... ..............................pi....@................................. :..K....@.......................`....................................................... ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`.......&..............@..B................P:......H.......,5............... ..\...P .......................................2M.. ,.,]...).].....@.l..~.u.....Oz.B.{~*;.......6\..s..$_BZS.b..x.S....-..g.......Jr...{...E..F...s..sa.p.eS....X..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\fi-FI\RavStub.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\mrybn0ui.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12288
                                                                                                                                                                                                                                        Entropy (8bit):4.724387918625746
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:IxIYXkNcDGwgTsxJoRxAM2+9Ul/laxRe+PE8v+GA3kr29zrJzfPWCiqxskBbHUiH:IxRkNcDtxJMxAM2+9Ul/laxRe8ZGGWgC
                                                                                                                                                                                                                                        MD5:314FF54C08F9C461D7D5F01849E98A26
                                                                                                                                                                                                                                        SHA1:2344D2E9596A2A49F2950ED71E58C4413CCDF3CB
                                                                                                                                                                                                                                        SHA-256:1F0C64E62D5583AB132EEEF816CBB119C5EA436656CEC96CCDC2BEF4DCCC46AC
                                                                                                                                                                                                                                        SHA-512:433EF0D73A7CFD70244AFDAB2AE401C36A1DD247472BD51280A03E428702A1AF37CBFDF54AF554D12EAB068F88F568067BCADA5C6DCF20A9AFEC6852F75A3AD3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f.-e...........!.....&...........D... ...`....... ....................................@..................................D..K....`............................................................................... ............... ..H............text....$... ...&.................. ..`.rsrc........`.......(..............@..@.reloc..............................@..B.................D......H.......@A..P...........P ... ........................................... .............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....V.......PADPADP.%z............u.$+.l.....o*.G...4...*.!.L...0N....._).......85.[JF.13U.y.....(.w.N.....<..sxU./.h.L.......=:.lc...?Z....!.....V......rk.L...\.....T...=.i..)..].....D..b..`............)...s..%'..JA*......>.$.:.%

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\fil-PH\RavStub.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\mrybn0ui.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):10752
                                                                                                                                                                                                                                        Entropy (8bit):4.400892179402441
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:O0Zne9hwoGBjeCipxwU6LOl+DDUbqN4PPjjDr8d30LfmJyXOhZCa2m5sml+T9lmH:O0Y9hwoEipxwU6LOl+DDUbqN4Xjz8V4q
                                                                                                                                                                                                                                        MD5:4F631AAEB5AE030730DEA6914E2D1F7D
                                                                                                                                                                                                                                        SHA1:B7067AAADF75F56EE975E7ACA675D1B8C08DC8D8
                                                                                                                                                                                                                                        SHA-256:A924B53A87704120CE886F05CD94569DEF1B6AABF201EC22C8D4CDA547988619
                                                                                                                                                                                                                                        SHA-512:4CA227913B238DB98CB866A4738F38195DC06ADBE7452D79AA077A817479E657DBF1D10E9A300BDD35D0DC6DCF72C013DF5A3D8E5C1118C09F586260C35F1003
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f.-e...........!..... ...........>... ...@....... ....................................@..................................=..O....@.......................`....................................................... ............... ..H............text...$.... ... .................. ..`.rsrc........@......."..............@..@.reloc.......`.......(..............@..B.................>......H.......x:..T...........P ..'...........................................#..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....Q.......PADPADP.%z............u.$+.l.....o*.G...4...*.!.L...0N....._).......85.[JF.13U.y.....(.w.N.....<..sxU./.h.L.......=:.lc...?Z....!.....V......rk.L...\.....T...=.i..)..]....b..`............)...s..%'..JA*......>.$.\.&...'

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\fr-FR\RavStub.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\mrybn0ui.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12800
                                                                                                                                                                                                                                        Entropy (8bit):4.837530219353483
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:cY0al1sBIxgyFzjXZfu14MpXrOUDlK8yXahGY7uXJ3s8D:CBImyDM5DtyXwGY7uXJ3s8D
                                                                                                                                                                                                                                        MD5:3B5352CA4CB06DAD6C6CE7F15B757810
                                                                                                                                                                                                                                        SHA1:7ECB52EC5909FC6E9DF2BF591D1A12CC33F8E842
                                                                                                                                                                                                                                        SHA-256:E59969A07F3AECC9303A8ADD6D1F36C058472342A98B1DB274A1FD8E0EF6CA74
                                                                                                                                                                                                                                        SHA-512:D808F61552F1F59080E4A027075F4BC66AFECDD78DD970FBF8DD25CFAC65BC5C619D964DD14E41A5F6209154D1EA7A5D4943FE35C12F4E0892FE1267E47DCF12
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f.-e...........!.....(...........G... ...`....... ....................................@.................................HG..S....`............................................................................... ............... ..H............text....'... ...(.................. ..`.rsrc........`.......*..............@..@.reloc...............0..............@..B.................G......H........C..P...........P ...#...........................................#.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....V.......PADPADP.%z............u.$+.l.....o*.G...4...*.!.L...0N....._).......85.[JF.13U.y.....(.w.N.....<..sxU./.h.L.......=:.lc...?Z....!.....V......rk.L...\.....T...=.i..)..].....D..b..`............)...s..%'..JA*......>.$.:.%

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\fr\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\mrybn0ui.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):10240
                                                                                                                                                                                                                                        Entropy (8bit):4.588569516197988
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:YWWNv/jzSEYtPpmKJiDjgmlRFI0HYZDKz/VP81g5rxg0XWr:Y1NvbdKJiDjgmlRi0HYZDMp5rxg0XWr
                                                                                                                                                                                                                                        MD5:3B4621370ADDCF4306669C9E7E45C865
                                                                                                                                                                                                                                        SHA1:EA1AB3C499E946E152C1FC4A63FA99E1F9BE94B4
                                                                                                                                                                                                                                        SHA-256:E3EE50E08124A7603BE7D996DCF596EB0D3F9C603768E86E003F7B942D7097F3
                                                                                                                                                                                                                                        SHA-512:586755F32D16AFD937BFC1FE3C52210AB815D5D4C904DE101150FA052A94BABFCBDC465669FF8C2537B782474658D7912037DDB76D8C9A8FD34715D1FE7B2857
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b...........!................^;... ...@....... ..............................1.....@..................................;..W....@.......................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc........@......................@..@.reloc.......`.......&..............@..B................@;......H........6............... ..?...P .......................................ME....P.<......I.J...Q'D........................X7..'<F..q..o.6G..M-.$.v..i.>...z..'....OV?....+.9..V........I"..9........;..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\hi-IN\RavStub.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\mrybn0ui.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17408
                                                                                                                                                                                                                                        Entropy (8bit):4.802041892251835
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:VME5h/2kXJsxw5w2UW4ctvHU+Th60iu2F6mKVZnCyJT2ox8mn9THjI5gE2ac753E:BXJsO57hOt9AZnttxKqz3s8Q
                                                                                                                                                                                                                                        MD5:07261269F0355CB5B8C000DA3566B6E5
                                                                                                                                                                                                                                        SHA1:891B18A58432D46C0C943239A2EBE51007F982E7
                                                                                                                                                                                                                                        SHA-256:2E56643C064050DE5F6061B8C3E507B819D28BDC952647CB8A6B966AD6E3FFBE
                                                                                                                                                                                                                                        SHA-512:2A958D567F0D95F270F9DBA7D6AE88F10279C0DA073E6F008DD2E0118324386E52875BAE4F506DBDAA0C45BD6FF1CEA70276EBE5CC22D4CAE7214FCEAFD764CE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f.-e...........!.....:...........X... ...`....... ....................................@.................................XX..S....`............................................................................... ............... ..H............text....8... ...:.................. ..`.rsrc........`.......<..............@..@.reloc...............B..............@..B.................X......H........U..P...........P ...4...........................................4.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....V.......PADPADP.%z............u.$+.l.....o*.G...4...*.!.L...0N....._).......85.[JF.13U.y.....(.w.N.....<..sxU./.h.L.......=:.lc...?Z....!.....V......rk.L...\.....T...=.i..)..].....D..b..`............)...s..%'..JA*......>.$.:.%

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\hr-HR\RavStub.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\mrybn0ui.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12288
                                                                                                                                                                                                                                        Entropy (8bit):4.743164798651778
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:yIYVdDpBwGpkiVlZPxZlrPy2o92kGetEQyPIlUVKC3JDsS7qSmKV/4jNni67gXWE:y1DpBwSkoZPxZlrPY92kGetEQII2oANF
                                                                                                                                                                                                                                        MD5:D43FD55D52A82BAD6C98008801D90207
                                                                                                                                                                                                                                        SHA1:50B9EE0CC11B0C29022A3B4EFD928284E846B6C8
                                                                                                                                                                                                                                        SHA-256:C6635270A0420CACB869FDE826E72E96E94636473369CFDCB09280FDDD4ECAFE
                                                                                                                                                                                                                                        SHA-512:9EFF61089B7B8156AB78D50F3BB82498C2812BE64955353A5FE4A143F96DF79620DF8911125DEC00BD124484EA00E39A4157E3F87F6EC9C9B52FA13016E17AEB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f.-e...........!.....&...........D... ...`....... ....................................@.................................hD..S....`............................................................................... ............... ..H............text....$... ...&.................. ..`.rsrc........`.......(..............@..@.reloc..............................@..B.................D......H........A..P...........P ... ........................................... .............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....V.......PADPADP.%z............u.$+.l.....o*.G...4...*.!.L...0N....._).......85.[JF.13U.y.....(.w.N.....<..sxU./.h.L.......=:.lc...?Z....!.....V......rk.L...\.....T...=.i..)..].....D..b..`............)...s..%'..JA*......>.$.:.%

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\hu-HU\RavStub.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\mrybn0ui.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12800
                                                                                                                                                                                                                                        Entropy (8bit):4.800749080991806
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:ndpTgTI4gNxtBqu+p5DXv00jiOKQosgcekILk0pltfU3s8Z:t4gNrBnOVlgcekILfpltc3s8Z
                                                                                                                                                                                                                                        MD5:0DEC5C4C1C673A7CA6F1E9BEF8DAA9F5
                                                                                                                                                                                                                                        SHA1:9296735372A36C4B84F98563A2661928EA586773
                                                                                                                                                                                                                                        SHA-256:E4326509EF689F63A130756228E348EB45940BA09A22212F7C826C17240E4EBA
                                                                                                                                                                                                                                        SHA-512:5ABBA62A4062697AFB673BEF5F92544619FA242BD014508A6CCF5617B40168042409E543CC2E5CCA009DC2AE342B61FBE0D4C5594C1D52B2E756302ACEB30A43
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...g.-e...........!.....(...........E... ...`....... ....................................@..................................E..K....`............................................................................... ............... ..H............text....&... ...(.................. ..`.rsrc........`.......*..............@..@.reloc...............0..............@..B.................E......H.......`B..P...........P ..."...........................................".............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....V.......PADPADP.%z............u.$+.l.....o*.G...4...*.!.L...0N....._).......85.[JF.13U.y.....(.w.N.....<..sxU./.h.L.......=:.lc...?Z....!.....V......rk.L...\.....T...=.i..)..].....D..b..`............)...s..%'..JA*......>.$.:.%

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\id-ID\RavStub.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\mrybn0ui.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12288
                                                                                                                                                                                                                                        Entropy (8bit):4.6818573968387645
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:sqIYIZcKqG4ny8ZxSWuwCoBWidWjZdPAhDHPBg37eXCIKKXgXruQm8X0tF8HgGCy:sqOZcKqG8ZxSWuwCoBWidWjZ9AhLJ2S4
                                                                                                                                                                                                                                        MD5:5E34215E6294D9382D0A51323F976B63
                                                                                                                                                                                                                                        SHA1:A161CB06FEE5E2669FC004178C230CACDAEA462F
                                                                                                                                                                                                                                        SHA-256:CB211A058273C109746CD00F96E0BA02D24C9CCC49315FAF036B580238F65F0E
                                                                                                                                                                                                                                        SHA-512:1B0E3D83AFD4DA4DBA5A212C02181F99E4CAE904174C587255263D52B7EC40C02E080F19646E5C0D6066F577C6E00B37DB94C980788964C4FB7C128F8E8BA139
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...g.-e...........!.....&...........D... ...`....... ....................................@.................................xD..S....`............................................................................... ............... ..H............text....$... ...&.................. ..`.rsrc........`.......(..............@..@.reloc..............................@..B.................D......H.......(A..P...........P ... ........................................... .............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....V.......PADPADP.%z............u.$+.l.....o*.G...4...*.!.L...0N....._).......85.[JF.13U.y.....(.w.N.....<..sxU./.h.L.......=:.lc...?Z....!.....V......rk.L...\.....T...=.i..)..].....D..b..`............)...s..%'..JA*......>.$.:.%

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\it-IT\RavStub.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\mrybn0ui.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12288
                                                                                                                                                                                                                                        Entropy (8bit):4.76812009374708
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:aIYr9kupX/Gdq8SQxZdNYobyRXvujVf9UgPw/ev3nww3OajMRD1TLIjB5leULIpI:a3kupX/GSQxZdNYBRXvujVf9UOwGvwwH
                                                                                                                                                                                                                                        MD5:441AC1C5155182D0BFDBA377A858FE74
                                                                                                                                                                                                                                        SHA1:B4DDE792E5833352CDE944BDA57C0CFD3F1C985D
                                                                                                                                                                                                                                        SHA-256:36294FB621E9D99711F4D906AFD25F2397507F0E39FD07AD646D17CB2A3B0375
                                                                                                                                                                                                                                        SHA-512:D9F81AC33E863DBA1BF03D59A739E6F3F6DCAE6836FF1F3565771475232C1D311925E2A02A60110F2B4DD902C52D38557F9B28D86CF97A2792D2A9B28FB46C99
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...g.-e...........!.....&...........E... ...`....... ....................................@..................................E..W....`............................................................................... ............... ..H............text....%... ...&.................. ..`.rsrc........`.......(..............@..@.reloc..............................@..B.................E......H.......4B..P...........P ...!...........................................!.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....V.......PADPADP.%z............u.$+.l.....o*.G...4...*.!.L...0N....._).......85.[JF.13U.y.....(.w.N.....<..sxU./.h.L.......=:.lc...?Z....!.....V......rk.L...\.....T...=.i..)..].....D..b..`............)...s..%'..JA*......>.$.:.%

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\it\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\mrybn0ui.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):10240
                                                                                                                                                                                                                                        Entropy (8bit):4.368637490829895
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:vOiWWNv/jzSE5tyT1TNgr1nJIhZAf/07mPD1q5rxg0XWr:v11NvbGTNgr1nJI3+07MM5rxg0XWr
                                                                                                                                                                                                                                        MD5:1C331DA4BCE2809E16913C02E385576E
                                                                                                                                                                                                                                        SHA1:CF8E71E030347749596A53D1B13B9E9583EC0527
                                                                                                                                                                                                                                        SHA-256:1D0493E38D8B3FCC7EFA4916FEA1EEA69EE6449BF435E1869C1BC3F54D4090C5
                                                                                                                                                                                                                                        SHA-512:2871119690F3DF0F244384A3F5F65FFE7CF17F1F00F6B530512AEDEB8397C9E357079E8FBA76D2A5BF6BE4E2B18E4AC1AC104EA2D29F8F40CEF6F30A905ECF83
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b...........!.................9... ...@....... ..............................GR....@..................................9..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......&..............@..B.................9......H........4............... ......P ........................................M..+..u.3...i.7.[H\G.4D..dy.*p..L.m..4.....d..dZ...m..f../.@..GXQ.. ...$..."a......-....4..pS.5`@...;.`....Q..mHBx3..w3,!................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\ja-JP\RavStub.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\mrybn0ui.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):13824
                                                                                                                                                                                                                                        Entropy (8bit):5.091819593877884
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:OxwAHD6CkxQdCnvRl/oRHx8asale681v/V3s8V:xCkSdK0t81vd3s8V
                                                                                                                                                                                                                                        MD5:491E0BB03970BCD681C264675E65DFB4
                                                                                                                                                                                                                                        SHA1:F4245F334C084D45DC9FF6B63ED4B50355FD6D73
                                                                                                                                                                                                                                        SHA-256:A0C4368ACE35825B6BA54D83F04E787A20BA7998EE8592FEED51787B1F053B99
                                                                                                                                                                                                                                        SHA-512:599C77E40A174BA3C0A3003B32A6AD0B1C8DD2BEEEBC977DE16EAE9C8686C77996458E89983E955C4A9DBD1C9E54EE275848A09CC2C697F575E013E6B9389886
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...g.-e...........!.....,...........J... ...`....... ....................................@..................................I..S....`............................................................................... ............... ..H............text....*... ...,.................. ..`.rsrc........`......................@..@.reloc...............4..............@..B.................I......H.......hF..P...........P ...&...........................................&.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....V.......PADPADP.%z............u.$+.l.....o*.G...4...*.!.L...0N....._).......85.[JF.13U.y.....(.w.N.....<..sxU./.h.L.......=:.lc...?Z....!.....V......rk.L...\.....T...=.i..)..].....D..b..`............)...s..%'..JA*......>.$.:.%

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\ko-KR\RavStub.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\mrybn0ui.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12800
                                                                                                                                                                                                                                        Entropy (8bit):5.203697308171917
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:+FWuuyUdKvx4W9SxBmJsEMGFW/uuH2LlLTDUCl9w5JHJ8/uDm3s8r:FdKv+WqV2ZLToU9wXi/uK3s8r
                                                                                                                                                                                                                                        MD5:AE60D61E47219AED36F791D067F3037A
                                                                                                                                                                                                                                        SHA1:A0C3173B5034C187F8EE05A2C2D119BD773C079F
                                                                                                                                                                                                                                        SHA-256:AFF47CAF8450AB56E3CEAD10F4C6CD746DAC2D97A745114FF9197D4C413285EB
                                                                                                                                                                                                                                        SHA-512:B98B91AC5A9ED0EA50BC9BEF999FA41A262FAE7AC228F088A7B1E56645BE5B566C0154297A1F048C5DED6A4FC438A3BA6BDCBD0965057B8879AD7FD775D603BF
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...g.-e...........!.....(...........G... ...`....... ....................................@..................................F..K....`............................................................................... ............... ..H............text...4'... ...(.................. ..`.rsrc........`.......*..............@..@.reloc...............0..............@..B.................G......H........C..P...........P ..=#..........................................9#.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....V.......PADPADP.%z............u.$+.l.....o*.G...4...*.!.L...0N....._).......85.[JF.13U.y.....(.w.N.....<..sxU./.h.L.......=:.lc...?Z....!.....V......rk.L...\.....T...=.i..)..].....D..b..`............)...s..%'..JA*......>.$.:.%

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\nb-NO\RavStub.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\mrybn0ui.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12288
                                                                                                                                                                                                                                        Entropy (8bit):4.693723661436578
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:DIYfsK6eGOy+v3qxh7EFBYn1p4hVYTPMPhT9CEGF3aN3MfCExO4MV09J7wcLaaEY:DZsK6epv3qxh7EFBYn1p4hVYTqhTAEGt
                                                                                                                                                                                                                                        MD5:5A6F72260B46A5D10D9C0A779A296B82
                                                                                                                                                                                                                                        SHA1:C8EA84BF62A5F28B5549902CD5E2C13021EDD3BA
                                                                                                                                                                                                                                        SHA-256:3CE83301DC7273EED3FCD302E7C3B048C86454C949E1625BF9076097A95F5C9F
                                                                                                                                                                                                                                        SHA-512:EF8FC330E14B6BC0AA78805138E797201BC4115B915F12A26F7A3A2CE87457679015EFFBABC681DA7FEA529B031EF1E5C0A2E5B688033402028513BE35B799D8
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...g.-e...........!.....&...........D... ...`....... ....................................@.................................PD..K....`............................................................................... ............... ..H............text....$... ...&.................. ..`.rsrc........`.......(..............@..@.reloc..............................@..B.................D......H........A..P...........P ... ........................................... .............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....V.......PADPADP.%z............u.$+.l.....o*.G...4...*.!.L...0N....._).......85.[JF.13U.y.....(.w.N.....<..sxU./.h.L.......=:.lc...?Z....!.....V......rk.L...\.....T...=.i..)..].....D..b..`............)...s..%'..JA*......>.$.:.%

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\nl-NL\RavStub.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\mrybn0ui.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12288
                                                                                                                                                                                                                                        Entropy (8bit):4.73557270770413
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:htIYBN1XfOGCvouQTxklOVw/lzyOl/dEf80gPCdmP347U9DC47aqFD37E/avkeZw:3TN1X2HQTxklOVylzyOl/dEf80OCQPAB
                                                                                                                                                                                                                                        MD5:D4A8DDF5309E7EA0A4C1EAA2B46B72FD
                                                                                                                                                                                                                                        SHA1:FEFADFBA4F8134683DD6719D0AA425B695074BF3
                                                                                                                                                                                                                                        SHA-256:B0BE52F2B312847AD47DAB37C2732837529AFEF79DD7F970F675EC2827186787
                                                                                                                                                                                                                                        SHA-512:E0547185D6B0E5C3B491E9959E2A5E1B0D95028668AE9A50D02027767B1918AFEB3755DB5B07E1B5F6EC71AF4AA4E592E73A2C5C214262E3C6117D7A0D836ABC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...g.-e...........!.....&..........^E... ...`....... ....................................@..................................E..O....`............................................................................... ............... ..H............text...d%... ...&.................. ..`.rsrc........`.......(..............@..@.reloc..............................@..B................@E......H........A..P...........P ..i!..........................................e!.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....V.......PADPADP.%z............u.$+.l.....o*.G...4...*.!.L...0N....._).......85.[JF.13U.y.....(.w.N.....<..sxU./.h.L.......=:.lc...?Z....!.....V......rk.L...\.....T...=.i..)..].....D..b..`............)...s..%'..JA*......>.$.:.%

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\pl-PL\RavStub.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\mrybn0ui.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12288
                                                                                                                                                                                                                                        Entropy (8bit):4.8030182107343204
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:3IYfp3DcrGr6SHAOzLxE6oMuN50rtbxn/XidPWd3SJC30Gh58xSoHR+hxWfbrVsj:3Zp3Dcr2NAcLxE6oMy50rtbxn/Xi9WdX
                                                                                                                                                                                                                                        MD5:43EEACA65E1A59D947175491EAB013F6
                                                                                                                                                                                                                                        SHA1:9E3F6EDC0BBB9E9BFBDDD4AF7DB6118A6C850671
                                                                                                                                                                                                                                        SHA-256:C21E2DC26BD0CF8591453CFBDFCC7479A74C82853E0860FEE64B653C3E7B22A4
                                                                                                                                                                                                                                        SHA-512:EAB0B44ACBDAD127682426D9FFEA0C6D76F14A9B2F8BE0284E3E54E004BB32A7766F1D382AEA3A7BFCDBBFABDB29C225A64FCEC3442D062511D3F77A5092BE7B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...g.-e...........!.....&...........D... ...`....... ....................................@.................................lD..O....`............................................................................... ............... ..H............text....$... ...&.................. ..`.rsrc........`.......(..............@..@.reloc..............................@..B.................D......H........A..P...........P ... ........................................... .............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....V.......PADPADP.%z............u.$+.l.....o*.G...4...*.!.L...0N....._).......85.[JF.13U.y.....(.w.N.....<..sxU./.h.L.......=:.lc...?Z....!.....V......rk.L...\.....T...=.i..)..].....D..b..`............)...s..%'..JA*......>.$.:.%

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\pl\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\mrybn0ui.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):10240
                                                                                                                                                                                                                                        Entropy (8bit):4.594776627495051
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:haWWNv/jzSEYtq2dE1cxy8ON0Qsk96sPb1V5rxg0XWr:g1NvbaG1cxy8ONHskdD5rxg0XWr
                                                                                                                                                                                                                                        MD5:B60817A69E314B22F746917C826DA53E
                                                                                                                                                                                                                                        SHA1:7D2785A6D1A53A0717C986B959AF67DE6F9300E4
                                                                                                                                                                                                                                        SHA-256:6E58D86C42B61226DD7AF35D7C9432CE6F0982D1D0D5A2F4120E8ABC5C787A02
                                                                                                                                                                                                                                        SHA-512:9A8F029329CE105B3F72FEE623E3AB8C88E1AF45F86FAB61F81BE418B2D70F83E4C0466010D312240A01E1EF8F9B9926EBF43E25BDC3C364C2D28AB9B0E5F6FC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b...........!.................;... ...@....... ............................../c....@..................................:..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......&..............@..B.................:......H........5............... ......P .......................................T`.K.%...N.f..u.........Z..1....#CTR.v....:aq.i#:Z.oAkQ:D...q.6...l....J.W.Pn.J......d........3.F..[.c....#....$.F..0...............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\pt-BR\RavStub.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\mrybn0ui.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12288
                                                                                                                                                                                                                                        Entropy (8bit):4.715973311068644
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:bIY1nlNKGnxGxIDx+sQ0Y4EQujHOVhPgdfBF3UTVV/Lea/FVgYISK+uZqiF4Afkq:brnlNK/xIDx+sQ0Y4EQujHOVZgdBtofc
                                                                                                                                                                                                                                        MD5:F86231C09FE30F3B630F2B066ABC0B7D
                                                                                                                                                                                                                                        SHA1:B3F8D8A213C5198F1779A589EFF3C77E181DEF72
                                                                                                                                                                                                                                        SHA-256:33938DBB2DB55BB6DF6D7671E1A57A07022E17437DEA0CDFAE79BB164CC2A372
                                                                                                                                                                                                                                        SHA-512:28FA420813634464E12A6F2F477A0C118876E455422C49749D3D503519F515B529F076A2AEFDD18CB3B0EF4ABDE229A3C4D348E5F56D098679C3107348F2DC1C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...g.-e...........!.....&...........D... ...`....... ....................................@..................................D..W....`............................................................................... ............... ..H............text....%... ...&.................. ..`.rsrc........`.......(..............@..@.reloc..............................@..B.................D......H.......TA..P...........P ...!........................................... .............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....V.......PADPADP.%z............u.$+.l.....o*.G...4...*.!.L...0N....._).......85.[JF.13U.y.....(.w.N.....<..sxU./.h.L.......=:.lc...?Z....!.....V......rk.L...\.....T...=.i..)..].....D..b..`............)...s..%'..JA*......>.$.:.%

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\pt-PT\RavStub.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\mrybn0ui.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12288
                                                                                                                                                                                                                                        Entropy (8bit):4.731031969686216
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:IIY1nlNKGnxOu7xKgUOVBQ6Bo19sPzPLegs8+3vCqV/LMa/FVKYIS+9wOTKQiF4O:IrnlNKNu7xKgUOVBQ6Bo19sPTLM80ao7
                                                                                                                                                                                                                                        MD5:7A0E351F6B323DD69619208A03A1B878
                                                                                                                                                                                                                                        SHA1:54CCA58C4D6E315C15D9CA76B8DE06F1F66889FA
                                                                                                                                                                                                                                        SHA-256:33C96B6F6F830BB4717956B0D89F780837389AB2AF4564F6CACCC360B2C3059B
                                                                                                                                                                                                                                        SHA-512:4F57222F9F8E76A571FB2B95839E8CF29908509DC376AE9C5553B48BE8407305CC8CD41AF55FC5913CF1BAD9B9EFB4879646D74FD9B622CA6D0220CAF0FD3382
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...g.-e...........!.....&...........E... ...`....... ....................................@..................................D..W....`............................................................................... ............... ..H............text...4%... ...&.................. ..`.rsrc........`.......(..............@..@.reloc..............................@..B.................E......H........A..P...........P ..2!...........................................!.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....V.......PADPADP.%z............u.$+.l.....o*.G...4...*.!.L...0N....._).......85.[JF.13U.y.....(.w.N.....<..sxU./.h.L.......=:.lc...?Z....!.....V......rk.L...\.....T...=.i..)..].....D..b..`............)...s..%'..JA*......>.$.:.%

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\pt\RavStub.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\mrybn0ui.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12288
                                                                                                                                                                                                                                        Entropy (8bit):4.72532222668886
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:sIY1nlNKGnxOu7xKgUOVBQ6Bo19sPzPLegs8+3vCqV/LMa/FVKYIS+9wOTKQiF4n:srnlNKNu7xKgUOVBQ6Bo19sPTLM80aoC
                                                                                                                                                                                                                                        MD5:D192C04626F6408AE49827C844423A97
                                                                                                                                                                                                                                        SHA1:020F0129B5F3833743FAA0D406C1B0D12F0875A6
                                                                                                                                                                                                                                        SHA-256:4B4D398CC97A2BA0B4F83E3BDA159C8B6712D7039C88C5A6E2374B6C83D296CC
                                                                                                                                                                                                                                        SHA-512:118961F9ED1196D25E311532FB533FC7D266F33192C3EBC8D62DF91DD7C1DE3B3521DD8C092049DEF5E31C36A972991FADC243B50087FFDCC61CBE0E60554425
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...g.-e...........!.....&...........E... ...`....... ....................................@..................................D..K....`............................................................................... ............... ..H............text...$%... ...&.................. ..`.rsrc........`.......(..............@..@.reloc..............................@..B.................E......H........A..L...........P ..2!...........................................!.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....V.......PADPADP.%z............u.$+.l.....o*.G...4...*.!.L...0N....._).......85.[JF.13U.y.....(.w.N.....<..sxU./.h.L.......=:.lc...?Z....!.....V......rk.L...\.....T...=.i..)..].....D..b..`............)...s..%'..JA*......>.$.:.%

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\ro-RO\RavStub.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\mrybn0ui.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12288
                                                                                                                                                                                                                                        Entropy (8bit):4.786221406079869
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:2xIY4puUhG9oHusJxWgAm/45t6lSertHPHrgCs324VfosqPXMdEqljSNPEinIOB5:IapuUhg7sJxWgAm/45t6lSertvHrDapm
                                                                                                                                                                                                                                        MD5:6925B8D93F81214E569AB80029AE9FFD
                                                                                                                                                                                                                                        SHA1:AD318591ACC6DBD6C34ACB8529BE01DE9C4DDE86
                                                                                                                                                                                                                                        SHA-256:6818FFC05046738148318630D550130360857BA272577563163B466A1B2EA8BF
                                                                                                                                                                                                                                        SHA-512:7492C29D630A9FA9F4AB41A96AFF08A38C0FC2EC284B92475ABF30343D5346958B5D804539602FEEFFE204A882780D391007ABF920F98849F6D65C2F514F62C3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...g.-e...........!.....&..........>E... ...`....... ....................................@..................................D..K....`............................................................................... ............... ..H............text...D%... ...&.................. ..`.rsrc........`.......(..............@..@.reloc..............................@..B................ E......H........A..P...........P ..O!..........................................K!.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....V.......PADPADP.%z............u.$+.l.....o*.G...4...*.!.L...0N....._).......85.[JF.13U.y.....(.w.N.....<..sxU./.h.L.......=:.lc...?Z....!.....V......rk.L...\.....T...=.i..)..].....D..b..`............)...s..%'..JA*......>.$.:.%

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\rsAtom.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\mrybn0ui.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):160120
                                                                                                                                                                                                                                        Entropy (8bit):6.406162771968354
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:n6lrh8aWSI9uVDeMWoWVy5zmndQ1dTZjxO3S/9FVkmiGUkP8f:n6lrhISL9e1oWE56ndQ19aY9FjJUf
                                                                                                                                                                                                                                        MD5:9DEBA7281D8ECEEFD760874434BD4E91
                                                                                                                                                                                                                                        SHA1:553E6C86EFDDA04BEACEE98BCEE48A0B0DBA6E75
                                                                                                                                                                                                                                        SHA-256:02A42D2403F0A61C3A52138C407B41883FA27D9128ECC885CF1D35E4EDD6D6B9
                                                                                                                                                                                                                                        SHA-512:7A82FBAC4ADE3A9A29CB877CC716BC8F51B821B533F31F5E0979F0E9ACA365B0353E93CC5352A21FBD29DF8FC0F9A2025351453032942D580B532AB16ACAA306
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\rsAtom.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................!..0..2...........P... ...`....@.. ....................................`.................................pP..K....`..T............<..x5..........0P............................................... ............... ..H............text....0... ...2.................. ..`.rsrc...T....`.......4..............@..@.reloc...............:..............@..B.................P......H........i..(...........0....U...O.......................................(....(....*....*.......*.......*.......*....0.............*.0.............*.0.............*....*....0.............*........2K........`.2........0.............*........6F.......0.............*.0.............*........MU.z.....0.............*B(....(....(....*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*....0.............*.0.............*Ad..........

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\rsDatabase.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\mrybn0ui.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):170464
                                                                                                                                                                                                                                        Entropy (8bit):6.477162619102264
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:/R761d9cCg9+zhOzcx9R0KvvvvnPPH6Gi5tPArrYeiYiPKiF15fJ2K/Krrii555k:U1TcpihOk0KvvvvnPPH6Gi5tPArrYeix
                                                                                                                                                                                                                                        MD5:D9CD9C6486FA53D41949420D429C59F4
                                                                                                                                                                                                                                        SHA1:784AC204D01B442EAE48D732E2F8C901346BC310
                                                                                                                                                                                                                                        SHA-256:C82540979384CDCADF878A2BD5CBE70B79C279182E2896DBDF6999BA88A342C1
                                                                                                                                                                                                                                        SHA-512:B37E365B233727B8EB11EB0520091D2ECD631D43A5969EAEB9120EBD9BEF68C224E1891DD3BAC5EC51FEB2AEE6BEC4B0736F90571B33F4AF59E73DDEE7D1E2AD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\rsDatabase.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................!..0..Z...........x... ........@.. ...............................%....`..................................w..K.......\............d...5...........w............................................... ............... ..H............text...$X... ...Z.................. ..`.rsrc...\............\..............@..@.reloc...............b..............@..B.................x......H.......|l..`...............4k...w.......................................(....(....*:+.(Nf%^.(....*..0.............*....*....0.............*.0.............*......-....;.....0.............*........VV.Q!....0.............*............!....0.............*AL......Z.......q...................j...........................................*.......*.......*.......*.......*.......*.......*.......*.......*....0.............*A4..............*...Y...............s...........!....0..........

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\rsJSON.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\mrybn0ui.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):223368
                                                                                                                                                                                                                                        Entropy (8bit):6.790390518378299
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:cqDOhw9PY+4Zl0ZFY9ooyUbc3Kc4dtvU:cQYLlw2cB4Y
                                                                                                                                                                                                                                        MD5:F8978087767D0006680C2EC43BDA6F34
                                                                                                                                                                                                                                        SHA1:755F1357795CB833F0F271C7C87109E719AA4F32
                                                                                                                                                                                                                                        SHA-256:221BB12D3F9B2AA40EE21D2D141A8D12E893A8EABC97A04D159AA46AECFA5D3E
                                                                                                                                                                                                                                        SHA-512:54F48C6F94659C88D947A366691FBAEF3258ED9D63858E64AE007C6F8782F90EDE5C9AB423328062C746BC4BA1E8D30887C97015A5E3E52A432A9CAA02BB6955
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\rsJSON.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....r.............!..0..&...........D... ...`....@.. .............................."<....`..................................D..K....`..D............0...8..........cD............................................... ............... ..H............text....%... ...&.................. ..`.rsrc...D....`.......(..............@..@.reloc..............................@..B.................D......H........|...............W..O....C.......................................(....(....*:+.(..4g.(....*..0.............*A...................:........0.............*B(....(....(....*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*....0.............*.0.............*....*....0.............*....*....0.............*.................0.............*....

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\rsLogger.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\mrybn0ui.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):181376
                                                                                                                                                                                                                                        Entropy (8bit):6.535417258435186
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:40AqxqD7b0Qv6wIMCP1Yr+Xle9WQJTrz96JiBRqMadYMBpCA5LH3lP8FU:3RkD/0Q7IMCP3ePOUBRqKep5jVUFU
                                                                                                                                                                                                                                        MD5:83AD54079827E94479963BA4465A85D7
                                                                                                                                                                                                                                        SHA1:D33EFD0F5E59D1EF30C59D74772B4C43162DC6B7
                                                                                                                                                                                                                                        SHA-256:EC0A8C14A12FDF8D637408F55E6346DA1C64EFDD00CC8921F423B1A2C63D3312
                                                                                                                                                                                                                                        SHA-512:C294FB8AC2A90C6125F8674CA06593B73B884523737692AF3CCAA920851FC283A43C9E2DC928884F97B08FC8974919EC603D1AFB5C178ACD0C2EBD6746A737E1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\rsLogger.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...ky.............!..0.................. ........@.. ....................................`.................................P...K.......P................6........................................................... ............... ..H............text........ ...................... ..`.rsrc...P...........................@..@.reloc..............................@..B........................H.......ds..............."...}...........................................(....(....*:+.(...W.(|...*.".......*....0.............*.0.............*.0.............*....*.......*.......*.......*.......*....0.............*.0.............*....*....0.............*.................0.............*.................0.............*.................0.............*........00.......0.............*.................0.............*........00.......0.............*.................0.............*

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\rsStubLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\mrybn0ui.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):254960
                                                                                                                                                                                                                                        Entropy (8bit):6.54303667228509
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:peGOfaXMwabVZN5rGSFF5qFky5Jb74HthVqbvIy8WvewjLbqzm9iVgUz:sfacB5rJFFh5qb3bmwnliLz
                                                                                                                                                                                                                                        MD5:A16602AAD0A611D228AF718448ED7CBD
                                                                                                                                                                                                                                        SHA1:DDD9B80306860AE0B126D3E834828091C3720AC5
                                                                                                                                                                                                                                        SHA-256:A1F4BA5BB347045D36DCAAC3A917236B924C0341C7278F261109BF137DCEF95A
                                                                                                                                                                                                                                        SHA-512:305A3790A231B4C93B8B4E189E18CB6A06D20B424FD6237D32183C91E2A5C1E863096F4D1B30B73FF15C4C60AF269C4FAAADAF42687101B1B219795ABC70F511
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X............." ..0.................. ........... ...............................|....`.................................k...O.......p................9.............8............................................ ............... ..H............text....... ...................... ..`.rsrc...p...........................@..@.reloc..............................@..B........................H.......p...............|...h.............................................{ ...*..{!...*V.(".....} .....}!...*...0..A........u........4.,/(#....{ ....{ ...o$...,.(%....{!....{!...o&...*.*.*. ..f. )UU.Z(#....{ ...o'...X )UU.Z(%....{!...o(...X*...0..b........r...p......%..{ ......%q.........-.&.+.......o)....%..{!......%q.........-.&.+.......o)....(*...*...0...........(....}4....("...........s+...o".....}......}......}.......}.......}.......}.......}.......}.......}......(B....

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\rsSyncSvc.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\mrybn0ui.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):817096
                                                                                                                                                                                                                                        Entropy (8bit):6.484394172394775
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:1kaJoYf9Z+uUMidkp22We0cRxoJy5DPbTtsqq5dlgM7qcNmP1bGq06ZIEUKth1O7:/Jll87GY2q61llaOZBjKt5qquO
                                                                                                                                                                                                                                        MD5:DED746A9D2D7B7AFCB3ABE1A24DD3163
                                                                                                                                                                                                                                        SHA1:A074C9E981491FF566CD45B912E743BD1266C4AE
                                                                                                                                                                                                                                        SHA-256:C113072678D5FA03B02D750A5911848AB0E247C4B28CF7B152A858C4B24901B3
                                                                                                                                                                                                                                        SHA-512:2C273BF79988DF13F9DA4019F8071CF3B4480ECD814D3DF44B83958F52F49BB668DD2F568293C29EF3545018FEA15C9D5902EF88E0ECFEBAF60458333FCAA91B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......lC. ("rs("rs("rscZqr""rscZwr."rscZvr;"rszWvr8"rszWqr""rszWwrv"rscZtr)"rscZsr?"rs("ss."rs.W{r "rs.W.s)"rs(".s)"rs.Wpr)"rsRich("rs........................PE..d...x6.d.........."......\...........(.........@....................................NX....`.................................................T........`..p.......xW..."...U...p..........p...............................8............p...............................text....Z.......\.................. ..`.rdata...'...p...(...`..............@..@.data....F.......*..................@....pdata..xW.......X..................@..@_RDATA.......P......................@..@.rsrc...p....`......................@..@.reloc.......p......................@..B................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\rsTime.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\mrybn0ui.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):132112
                                                                                                                                                                                                                                        Entropy (8bit):6.109228741444108
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:3WGjyLgosGplJLT7AwoTFGmrY6sW5P8+G:3wgBGplJX7AHGm8AU+G
                                                                                                                                                                                                                                        MD5:F1E592A7636DF187E89B2139922C609E
                                                                                                                                                                                                                                        SHA1:301A6E257FEFAA69E41C590785222F74FDB344F8
                                                                                                                                                                                                                                        SHA-256:13CA35C619E64A912B972EB89433087CB5B44E947B22A392972D99084F214041
                                                                                                                                                                                                                                        SHA-512:E5D79A08EA2DF8D7DF0AD94362FDA692A9B91F6EDA1E769BC20088EF3C0799AEABF7EB8BD64B4813716962175E6E178B803124DC11CC7C451B6DA7F406F38815
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\rsTime.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.................!..0.................. ........@.. .......................@......yI....`.....................................K.......D................4... ......`................................................ ............... ..H............text........ ...................... ..`.rsrc...D...........................@..@.reloc....... ......................@..B........................H........Z...i...........................................................(@...(6...*.0............j*.0.................*...j*....0.................*.0.............*.0............j*.0.............*.0............j*B(@...(6...(....*...".......*...".......*......l*.......*.......*...".......*.......*....(@...(....*:+.(r.S1.(6...*..0.............*.0.............*.0..........(@...8].......E........G...R...8.... ....(....( ...o....(!........ .....9....&8....(R... ........8....*(....

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\ru-RU\RavStub.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\mrybn0ui.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):14336
                                                                                                                                                                                                                                        Entropy (8bit):4.9513548109773104
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:HZ2vdzqaLxW8w5/EtHjl+dbA5eI00QF7ji63s8E:paL88/sd0QF7ji63s8E
                                                                                                                                                                                                                                        MD5:A1DEBF02ECBF636E3407DA5287FF7BF2
                                                                                                                                                                                                                                        SHA1:2542F8351605030125BA48361A3CB54EA69D6BC2
                                                                                                                                                                                                                                        SHA-256:109AB83379877DB1A8177F610EC484538648FB626C191DE3824EC6FD7A3A7F8F
                                                                                                                                                                                                                                        SHA-512:53ECC815C9868828DF33B4289CF32F22B99CEB67269B9553429717C91CBF912728C4B3D7AAABD802087480B9AEC56AD8FC65FCF1FFDC8267A07217FC748DD589
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...g.-e...........!.................M... ...`....... ....................................@..................................L..S....`............................................................................... ............... ..H............text....-... ...................... ..`.rsrc........`.......0..............@..@.reloc...............6..............@..B.................L......H.......hI..P...........P ...)...........................................).............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....V.......PADPADP.%z............u.$+.l.....o*.G...4...*.!.L...0N....._).......85.[JF.13U.y.....(.w.N.....<..sxU./.h.L.......=:.lc...?Z....!.....V......rk.L...\.....T...=.i..)..].....D..b..`............)...s..%'..JA*......>.$.:.%

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\ru\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\mrybn0ui.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):10752
                                                                                                                                                                                                                                        Entropy (8bit):4.846136752240531
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:phbWWNv/jzSEfthb7O9JKggIOrCPPzm394in3fwB/CZPlAg1O5rxg0XWr:pN1NvbH7O9JKgglrCPChnYVC5A5rxg06
                                                                                                                                                                                                                                        MD5:DADE13E423762BDAE745D57CA3DC86EF
                                                                                                                                                                                                                                        SHA1:7B4122CBEF771C5548A7CB5641B6DB6743C8C3F6
                                                                                                                                                                                                                                        SHA-256:1A1D5FDAC027144BCAA0E8110F4DE717E80944420C59708B3DD8E2BD31BC7ED4
                                                                                                                                                                                                                                        SHA-512:77F5050BA87E8ABEB92298D16897D6CEC087FFB7B4C38442C854A0993B398DE529C15B5674ADAACFB3E39CE05165F05A38337B2DBD41E8A7D806751542F6E8D3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b...........!................~=... ...@....... ..............................>"....@.................................,=..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......(..............@..B................`=......H.......88............... ..e...P ......................................w..4.8b^b..W..i8s....oz...t..tlhp...$.8p..c....U(O'....N.w`...<".1.w....?.*.0=z`Lz5..^....O...Q.....v..z...........`;..a..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\sk-SK\RavStub.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\mrybn0ui.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12288
                                                                                                                                                                                                                                        Entropy (8bit):4.900358338945999
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:DIYK1uOKGEXJ7hxwUmX+41C/TUMZc/ZgPPInsYJNM3TPGdTzXpPbf+oBumIJMr2s:D41uOKl7hx9mX+41CLUMZc/ZOPVYJN6Q
                                                                                                                                                                                                                                        MD5:BC75574131447EB445EEB1232AE357B5
                                                                                                                                                                                                                                        SHA1:EC92577F6D83DFE15B77253DF3B421661E22C499
                                                                                                                                                                                                                                        SHA-256:1C44B548ECE47D3E7D9E26C1D31F0E3BDB0D3C73ACFEA688AB2CD67747EB103C
                                                                                                                                                                                                                                        SHA-512:B987DBFBDCBD4443A76EF685D36D460373AB167C79DEE2AD719B9D3F42C9D4C033188A99C8887AAF6593E17F3B3B9E8FACC9E27BF9413A65AED69F866578E1AD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...g.-e...........!.....&..........^E... ...`....... ....................................@..................................E..S....`............................................................................... ............... ..H............text...d%... ...&.................. ..`.rsrc........`.......(..............@..@.reloc..............................@..B................@E......H........A..P...........P ..f!..........................................b!.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....V.......PADPADP.%z............u.$+.l.....o*.G...4...*.!.L...0N....._).......85.[JF.13U.y.....(.w.N.....<..sxU./.h.L.......=:.lc...?Z....!.....V......rk.L...\.....T...=.i..)..].....D..b..`............)...s..%'..JA*......>.$.:.%

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\sl-SI\RavStub.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\mrybn0ui.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12288
                                                                                                                                                                                                                                        Entropy (8bit):4.769934969735041
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:bIYV7AGeXGfqyuMxUY+iZWBe2v3gW0dFgPaVCe1d3qTS3xH4q9OYtRwbHUWPsLZy:bTAGeXyuMxUY+iZWBei3gW0dFOaEe3CT
                                                                                                                                                                                                                                        MD5:F682F4101F06CF1B5CADBEB09DFCFE53
                                                                                                                                                                                                                                        SHA1:B390DD47FA852E9E1C3A382DA65364FC7566C4B3
                                                                                                                                                                                                                                        SHA-256:06DF84339B108E76478BE1BF35B70A7DCD4DD927FBA2BB70182173AEA8AD7640
                                                                                                                                                                                                                                        SHA-512:F1C8F25511DA1A875A6969BC744FDBE37B713BF23971FE2A6E0E8D0B36531510F6DC1D470FE6455F710E7F8633182061D96AA56EE23147278576064C11597A52
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...g.-e...........!.....&...........D... ...`....... ....................................@..................................D..W....`............................................................................... ............... ..H............text....%... ...&.................. ..`.rsrc........`.......(..............@..@.reloc..............................@..B.................D......H.......TA..P...........P ...!........................................... .............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....V.......PADPADP.%z............u.$+.l.....o*.G...4...*.!.L...0N....._).......85.[JF.13U.y.....(.w.N.....<..sxU./.h.L.......=:.lc...?Z....!.....V......rk.L...\.....T...=.i..)..].....D..b..`............)...s..%'..JA*......>.$.:.%

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\sl\RavStub.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\mrybn0ui.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12288
                                                                                                                                                                                                                                        Entropy (8bit):4.7678515397101044
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:QIYV7AGeXGfqyuMxUY+iZWBe2v3gW0dFgPaVCe1d3qTS3xH4q9OYtRwbHUWPsLZk:QTAGeXyuMxUY+iZWBei3gW0dFOaEe3Cp
                                                                                                                                                                                                                                        MD5:AA8990AA3D13E0E776F552DCE5B669DB
                                                                                                                                                                                                                                        SHA1:F0BABC7F79489BD143D06D683182457642EB8945
                                                                                                                                                                                                                                        SHA-256:7E0A25E82882D41B3CA99B6736238A1CCF1AF50E67240AE8D234FF6919BFEA96
                                                                                                                                                                                                                                        SHA-512:36C75251F411743FA7F15BFA6109E0CAA86D725E8F2917830B0B1C19B4FC3EAF307BB8F8CC3547F24F1143749E0AB445AE1FE908B22CB40B265590E77765C856
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...g.-e...........!.....&...........D... ...`....... ....................................@..................................D..K....`............................................................................... ............... ..H............text....$... ...&.................. ..`.rsrc........`.......(..............@..@.reloc..............................@..B.................D......H.......TA..L...........P ...!........................................... .............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....V.......PADPADP.%z............u.$+.l.....o*.G...4...*.!.L...0N....._).......85.[JF.13U.y.....(.w.N.....<..sxU./.h.L.......=:.lc...?Z....!.....V......rk.L...\.....T...=.i..)..].....D..b..`............)...s..%'..JA*......>.$.:.%

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\sv-SE\RavStub.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\mrybn0ui.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12288
                                                                                                                                                                                                                                        Entropy (8bit):4.727297561865419
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:BhIYShuTiGMuLj/kyxI0Nc/yGUbwMgWf2iPMXBSSky3WDeFzMShGOBZ7T3GyRKvD:BhUhuTiGj/HxI0Nc/yGUbwMgWf2YMXQR
                                                                                                                                                                                                                                        MD5:AA3066A11238CE14299004DF5F0E366A
                                                                                                                                                                                                                                        SHA1:BFC81509D815E85CFB67409979E0E2B5522381B8
                                                                                                                                                                                                                                        SHA-256:AF9F0BAD5CBF7BCCFF0F059749D9058DE4CE69FA6F7F7238DB0F24A0D237B6BE
                                                                                                                                                                                                                                        SHA-512:6EABDF452F7F8A04976C0F97A7D29DE4F411F8572556BAE55D2A6E55C600A356C5833B79C91B64C7A081F73E0A7E17063BE461B6EBED19F9CA91C1E64D8CC964
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...g.-e...........!.....&...........D... ...`....... ....................................@..................................D..K....`............................................................................... ............... ..H............text....$... ...&.................. ..`.rsrc........`.......(..............@..@.reloc..............................@..B.................D......H.......@A..P...........P ... ........................................... .............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....V.......PADPADP.%z............u.$+.l.....o*.G...4...*.!.L...0N....._).......85.[JF.13U.y.....(.w.N.....<..sxU./.h.L.......=:.lc...?Z....!.....V......rk.L...\.....T...=.i..)..].....D..b..`............)...s..%'..JA*......>.$.:.%

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\th-TH\RavStub.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\mrybn0ui.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16896
                                                                                                                                                                                                                                        Entropy (8bit):4.850293880518889
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:iWmNyydz3LxBD5uSw84x/d/dfwJGTV/cEJviNhsFx55n5z5OPMuQ5m5rPzzSvooy:I7LHDFGh0EJviNhsFx55n5z5OPMuQ5mD
                                                                                                                                                                                                                                        MD5:DB774C5850FF8E482E04AE26EE79EEC6
                                                                                                                                                                                                                                        SHA1:FFAE380534E984EC9A336F444351124A46D440FC
                                                                                                                                                                                                                                        SHA-256:FF46247751A2E5135FC6B510BBD51B4D1A4FB902E45A7792AFD9FAD035B52558
                                                                                                                                                                                                                                        SHA-512:7C2C15883647B64A849F4C3703C29EC121B760CCEBB3F5FAE7228CC5FFD0EEAA5F707EAD790D44154B7FC05AFFC54FB00FA1EDD0B1293543DF28CF326A8CA238
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...h.-e...........!.....8..........~W... ...`....... ....................................@.................................,W..O....`............................................................................... ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............@..............@..B................`W......H........S..P...........P ...3...........................................3.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....V.......PADPADP.%z............u.$+.l.....o*.G...4...*.!.L...0N....._).......85.[JF.13U.y.....(.w.N.....<..sxU./.h.L.......=:.lc...?Z....!.....V......rk.L...\.....T...=.i..)..].....D..b..`............)...s..%'..JA*......>.$.:.%

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\tmp\5VG4OE52\__AssemblyInfo__.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):182
                                                                                                                                                                                                                                        Entropy (8bit):3.3280182840546777
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:edJkHlrnRVRlVTlrLffKl88VjLlAcVdhOEQlpQlyEklxlXVlKKngUlWUdA2dJkH/:eLkFrRVfKtDUEQEdkxiKngUhdA2LkFRr
                                                                                                                                                                                                                                        MD5:DBAE7B266DE65E24420546B5C8A4DA48
                                                                                                                                                                                                                                        SHA1:A4A982653E1D1277BF5F7EBDEF7C2AB454347EAA
                                                                                                                                                                                                                                        SHA-256:EFB0929D6B29DD6ED0C106FCE5F3A40D42DC3C4EA28486ED355380F9A92C75E5
                                                                                                                                                                                                                                        SHA-512:C255EBC79F55B83990AFAFC6994061EE0298ED023DB6B991D0A909AFD1B3A9B381484A5E89321A9D7456F100AFC8FA93F2581907972A5D75D833D22DCD36BE13
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:r.s.S.t.u.b.L.i.b.,.5...3...0...0.,.,...f.i.l.e.:./././.C.:./.U.s.e.r.s./.e.n.g.i.n.e.e.r./.A.p.p.D.a.t.a./.L.o.c.a.l./.T.e.m.p./.n.s.b.7.B.1.9...t.m.p./.r.s.S.t.u.b.L.i.b...d.l.l...

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\tmp\5VG4OE52\rsStubLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):254960
                                                                                                                                                                                                                                        Entropy (8bit):6.54303667228509
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:peGOfaXMwabVZN5rGSFF5qFky5Jb74HthVqbvIy8WvewjLbqzm9iVgUz:sfacB5rJFFh5qb3bmwnliLz
                                                                                                                                                                                                                                        MD5:A16602AAD0A611D228AF718448ED7CBD
                                                                                                                                                                                                                                        SHA1:DDD9B80306860AE0B126D3E834828091C3720AC5
                                                                                                                                                                                                                                        SHA-256:A1F4BA5BB347045D36DCAAC3A917236B924C0341C7278F261109BF137DCEF95A
                                                                                                                                                                                                                                        SHA-512:305A3790A231B4C93B8B4E189E18CB6A06D20B424FD6237D32183C91E2A5C1E863096F4D1B30B73FF15C4C60AF269C4FAAADAF42687101B1B219795ABC70F511
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X............." ..0.................. ........... ...............................|....`.................................k...O.......p................9.............8............................................ ............... ..H............text....... ...................... ..`.rsrc...p...........................@..@.reloc..............................@..B........................H.......p...............|...h.............................................{ ...*..{!...*V.(".....} .....}!...*...0..A........u........4.,/(#....{ ....{ ...o$...,.(%....{!....{!...o&...*.*.*. ..f. )UU.Z(#....{ ...o'...X )UU.Z(%....{!...o(...X*...0..b........r...p......%..{ ......%q.........-.&.+.......o)....%..{!......%q.........-.&.+.......o)....(*...*...0...........(....}4....("...........s+...o".....}......}......}.......}.......}.......}.......}.......}.......}......(B....

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\tmp\A7N48WB7\__AssemblyInfo__.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):136
                                                                                                                                                                                                                                        Entropy (8bit):3.2577550388388063
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:yxlrizRlVRlVTlrLffKl8HbloIlrJKleEkKRlLEljlgb1DxlRT/:yvitfK0bdlrElbkKvEljObRVL
                                                                                                                                                                                                                                        MD5:8BB2C27211D87D945C7DEA2A6D0610F0
                                                                                                                                                                                                                                        SHA1:44556E695F6A9608CEF5F5B36F77A3F14B7BEAE7
                                                                                                                                                                                                                                        SHA-256:C5D44160BE7B249FC238A042FAC98AF41FA0F87672B2AC25391C7EB5F7DA509D
                                                                                                                                                                                                                                        SHA-512:A917ADB19778289CDE6791036EB31D8C816BEA728D3559B743AAD9BB467CF212A8F9032176A6F9EAAD01C0D3358C27A989926AB7AE0797FD242024027AC5519F
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:r.s.J.S.O.N.,.3...0...0...0.,.,...f.i.l.e.:./././.C.:./.P.r.o.g.r.a.m. .F.i.l.e.s./.R.e.a.s.o.n.L.a.b.s./.E.P.P./.r.s.J.S.O.N...D.L.L...

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\tmp\A7N48WB7\rsJSON.DLL

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):225168
                                                                                                                                                                                                                                        Entropy (8bit):6.780174292328908
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:c7IEMtFMZZi+Ng9999994f9oMlnhcNx3BnG:EZi/MlevBG
                                                                                                                                                                                                                                        MD5:D43100225A3F78936CA012047A215559
                                                                                                                                                                                                                                        SHA1:C68013C5F929FE098A57870553C3204FD9617904
                                                                                                                                                                                                                                        SHA-256:CC5EA6C9C8A14C48A20715B6B3631CBF42F73B41B87D1FBB0462738FF80DC01A
                                                                                                                                                                                                                                        SHA-512:9633992A07EA61A9D7ACD0723DBD715DBD384E01E268131DF0534BCDFCD92F12E3DECC76AA870EA4786314C0B939B41C5F9E591A18C4D9D0BAD069F30ACD833E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\tmp\A7N48WB7\rsJSON.DLL, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...3..............!..0..(..........nG... ...`....@.. ..............................=.....`................................. G..K....`..D............2...=...........F............................................... ............... ..H............text...t'... ...(.................. ..`.rsrc...D....`.......*..............@..@.reloc...............0..............@..B................PG......H....... ...P...........p\......_F.......................................(....(....*:+.(.N.R.(....*..0.............*A...................:........0.............*B(....(....(....*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*....0.............*....*.......*....0.............*....*....0.............*.................0.............*....................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\tmp\BU6GPN3I\__AssemblyInfo__.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):144
                                                                                                                                                                                                                                        Entropy (8bit):3.1465636617234907
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:fI/RJXrJlrLffKl8HbloIlrJKleEkKRlLEljlgbzQIl/:fyfK0bdlrElbkKvEljObEu
                                                                                                                                                                                                                                        MD5:7E4D096961406FA4F61A4D9048EDD003
                                                                                                                                                                                                                                        SHA1:51C44AC2EAD43EF4E25996C006D29E3AB3B690A0
                                                                                                                                                                                                                                        SHA-256:8EAC8EEC32115F3DEBB898F99906BF7A4EE5B234D50C3A1CE3A315AF6BFA3A33
                                                                                                                                                                                                                                        SHA-512:CB90FDD83FA4943B04D3BA165DE1DAEFC56D36DBD8C4B2819F6EAFB0A109D126C6D3315C169CCA2350717138426FA8B546B253BCA0AC1E72FD2F4BF32B640866
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:r.s.L.o.g.g.e.r.,.4...0...2...0.,.,...f.i.l.e.:./././.C.:./.P.r.o.g.r.a.m. .F.i.l.e.s./.R.e.a.s.o.n.L.a.b.s./.E.P.P./.r.s.L.o.g.g.e.r...D.L.L...

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\tmp\BU6GPN3I\rsLogger.DLL

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):183696
                                                                                                                                                                                                                                        Entropy (8bit):6.5543556606749345
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:CUy/CR6dEfViQ+7gLmiEw/zrQUTkkySNP0dbNIprWZH:Dy/CVQILmil/zrQV2YbNGc
                                                                                                                                                                                                                                        MD5:B279550F2557481AE48E257F0964AE29
                                                                                                                                                                                                                                        SHA1:53BEF04258321CA30A6D36A7D3523032E3087A3E
                                                                                                                                                                                                                                        SHA-256:13FE4A20114CDF8CD3BBA42EEAABE8D49BE0B03EEC423F530C890463014CCAAA
                                                                                                                                                                                                                                        SHA-512:F603CBAC1F55AD4DE7A561A1D9C27E33E36DE00F09A18FF956456AFEC958F3E777277DB74F0B25C6467E765D39175AA4FCDD38E87A3D666B608D983ACB9321CD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\tmp\BU6GPN3I\rsLogger.DLL, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...oe.............!..0.................. ........@.. ...............................%....`.................................P...K.......P................=........................................................... ............... ..H............text........ ...................... ..`.rsrc...P...........................@..@.reloc..............................@..B........................H........s..d...........t".. ............................................(....(}...*".......*....0.............*.0.............*.0.............*....*.......*.......*.......*.......*....0.............*.0.............*....*....0.............*.................0.............*.................0.............*.................0.............*........00.......0.............*.................0.............*........00.......0.............*.................0.............*........00......

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\tmp\DLXGRDLP\__AssemblyInfo__.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):136
                                                                                                                                                                                                                                        Entropy (8bit):3.2283432741329237
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:2OmwlrLffKl8HbloIlrJKleEkKRlLEljlgb+sMB/:2ZqfK0bdlrElbkKvEljOb+sY
                                                                                                                                                                                                                                        MD5:211A20EDCFA8EDB6054082B0C02EBF36
                                                                                                                                                                                                                                        SHA1:82091C0B6FF618A04D6BAA50CCD258997DB28CE3
                                                                                                                                                                                                                                        SHA-256:03E750521429FC58D552936101FDF8E4B8A5094998057EE09B5388930992AB41
                                                                                                                                                                                                                                        SHA-512:9C50160456A35EAE2919405206FDC670D5C6E09C6D617A6E148CD870A9ABD284EB62F53D95709F48D4C213F6E5B64F77B8090B2BE4F61452A374D967375DDFEE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:r.s.A.t.o.m.,.2...1...1...0.,.,...f.i.l.e.:./././.C.:./.P.r.o.g.r.a.m. .F.i.l.e.s./.R.e.a.s.o.n.L.a.b.s./.E.P.P./.r.s.A.t.o.m...D.L.L...

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\tmp\DLXGRDLP\rsAtom.DLL

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):162712
                                                                                                                                                                                                                                        Entropy (8bit):6.432480830925195
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:6X5TgLoWlo6zvLblsvv5Emm16e68QNmTNh3l2AuZejZnj6:+Oom9Av6RvfltqEZ
                                                                                                                                                                                                                                        MD5:875E26EB233DBF556DDB71F1C4D89BB6
                                                                                                                                                                                                                                        SHA1:62B5816D65DB3DE8B8B253A37412C02E9F46B0F9
                                                                                                                                                                                                                                        SHA-256:E62AC7163D7D48504992CD284630C8F94115C3718D60340AD9BB7EE5DD115B35
                                                                                                                                                                                                                                        SHA-512:54FDC659157667DF4272AC11048F239101CB12B39B2BF049EF552B4E0CE3998FF627BF763E75B5C69CC0D4EF116BFE9043C9A22F2D923DBEDDDACF397E621035
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\tmp\DLXGRDLP\rsAtom.DLL, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.................!..0..4...........R... ...`....@.. ....................................`..................................Q..K....`..T............>...=...........Q............................................... ............... ..H............text...$2... ...4.................. ..`.rsrc...T....`.......6..............@..@.reloc...............<..............@..B.................R......H........g.................1X...Q.......................................(....(....*:+.([.%^.(....*.....*.......*.......*.......*....0.............*.0.............*.0.............*.0.............*....*....0.............*........2K........`.2........0.............*........6F.......0.............*.0.............*........HP.u.....0.............*B(....( ...(....*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*....0..

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\tmp\EF17UA5X\__AssemblyInfo__.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):188
                                                                                                                                                                                                                                        Entropy (8bit):3.2422749900735943
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:AJ/5KlRDgYlARnFrLffKl8HbloIlrJKleEkKRlLEljlgbsYJ/5KlRDgYlF/:eKlVtARNfK0bdlrElbkKvEljObsWKlV3
                                                                                                                                                                                                                                        MD5:E167544155124FCA596A436E8633A332
                                                                                                                                                                                                                                        SHA1:C4AD9B66219F3FBD2BF245F07A2EE054755A8657
                                                                                                                                                                                                                                        SHA-256:0D8AC1873366CEFD9EE8C3408E8F5F27A206DD352754B948D19E835295D2A362
                                                                                                                                                                                                                                        SHA-512:AB66455A437AAEF89BE94FC2000EBF724F710F263BC7518098980E01320B28054EAC6B965DC73BDCD450218244A7EC22E7B168FE03FB15549013020A52760425
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:r.s.S.e.r.v.i.c.e.C.o.n.t.r.o.l.l.e.r.,.1...2...4...0.,.,...f.i.l.e.:./././.C.:./.P.r.o.g.r.a.m. .F.i.l.e.s./.R.e.a.s.o.n.L.a.b.s./.E.P.P./.r.s.S.e.r.v.i.c.e.C.o.n.t.r.o.l.l.e.r...D.L.L...

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\tmp\EF17UA5X\rsServiceController.DLL

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):179088
                                                                                                                                                                                                                                        Entropy (8bit):6.563064733631268
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:nT9nvidN3G9nZm4feQPMYGQh5AB9vaTiYuzdNd6iB6KA5vY:nT9nvDB75Fq91dNd6iB6K3
                                                                                                                                                                                                                                        MD5:D0779008BA2DC5ABA2393F95435A6E8D
                                                                                                                                                                                                                                        SHA1:14CCD0D7B6128CF11C58F15918B2598C5FEFE503
                                                                                                                                                                                                                                        SHA-256:E74A387B85EE4346B983630B571D241749224D51B81B607F88F6F77559F9CB05
                                                                                                                                                                                                                                        SHA-512:931EDD82977E9A58C6669287B38C1B782736574DB88DAD0CC6E0D722C6E810822B3CBE5689647A8A6F2B3692D0C348EB063E17ABFA5580A66B17552C30176426
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\tmp\EF17UA5X\rsServiceController.DLL, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...2.C............!..0..t.............. ........@.. ....................................`.....................................K....................~...=..........A................................................ ............... ..H............text....r... ...t.................. ..`.rsrc................v..............@..@.reloc...............|..............@..B........................H........q..<...........$................................................(....(....*.0.............*A...........(...;...:........0.............*.................0.............*.0.............*......,....5.....0.............*......L..6.:.....0.............*AL..................Y.......................^...............~................0.............*......T..".......0.............*.0.............*.0.............*A.......C...........c.......B(....(....(5...*.......*.......*.......

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\tr-TR\RavStub.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\mrybn0ui.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12288
                                                                                                                                                                                                                                        Entropy (8bit):4.887694928653684
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:JIY4kciiGg/kISxvnmkYsPV+tIqMvhBhPYTua1j3SfDpu6WbyLWFTXLgNzCii7oc:JKkciiwISxvnmkYsPV+tIqMvhBZYquLp
                                                                                                                                                                                                                                        MD5:F93255F24064A092A60C47999048F56F
                                                                                                                                                                                                                                        SHA1:AC07C75C7DDBD03140B5969F46C425D6EAB68B82
                                                                                                                                                                                                                                        SHA-256:DC80276C4527961A313EB2D20391F48275BC1C15035DFE1B4C859387179D6415
                                                                                                                                                                                                                                        SHA-512:68878CF0ACAFF941DF14F33688B1C5CEF448A4062D03D8D6DD477F0D4247EE416D58E801E07055BBCDCE79ACB146004D672D508C493422926685595CFA564D56
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...h.-e...........!.....&...........E... ...`....... ....................................@.................................PE..K....`............................................................................... ............... ..H............text....%... ...&.................. ..`.rsrc........`.......(..............@..@.reloc..............................@..B.................E......H........B..P...........P ...!...........................................!.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....V.......PADPADP.%z............u.$+.l.....o*.G...4...*.!.L...0N....._).......85.[JF.13U.y.....(.w.N.....<..sxU./.h.L.......=:.lc...?Z....!.....V......rk.L...\.....T...=.i..)..].....D..b..`............)...s..%'..JA*......>.$.:.%

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\uninstall-epp.ico

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\mrybn0ui.exe
                                                                                                                                                                                                                                        File Type:MS Windows icon resource - 9 icons, 16x16, 32 bits/pixel, 24x24, 32 bits/pixel
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):174592
                                                                                                                                                                                                                                        Entropy (8bit):3.1176056240139736
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:URqHi9xDnRbDPi6ag9rucqkerzUCgIMSfZHqdefc8+YZ9:SqmpD66h9lqkerzgIPfF+efc+
                                                                                                                                                                                                                                        MD5:AF1C23B1E641E56B3DE26F5F643EB7D9
                                                                                                                                                                                                                                        SHA1:6C23DEB9B7B0C930533FDBEEA0863173D99CF323
                                                                                                                                                                                                                                        SHA-256:0D3A05E1B06403F2130A6E827B1982D2AF0495CDD42DEB180CA0CE4F20DB5058
                                                                                                                                                                                                                                        SHA-512:0C503EC7E83A5BFD59EC8CCC80F6C54412263AFD24835B8B4272A79C440A0C106875B5C3B9A521A937F0615EB4F112D1D6826948AD5FB6FD173C5C51CB7168F4
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:............ .h............. ......... .... .........00.... ..%......@@.... .(B...D..HH.... ..T......``.... ............... .(....p........ ..1..Vx..(....... ..... .............................................RRR....n...........e???'..................................................................q...................................................................y....................pppQ...........WWWC........vvvF...........```8............................1116................YYYC...........}.........................................................................................................................................................888,................1116.........................|Z....b...........5551........NNN3...........sssM.....................................................................................0.................................6....................{{{Mzzz....2...W...................M...6.......................0..............X...&...........#~~

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\uninstall.ico (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\mrybn0ui.exe
                                                                                                                                                                                                                                        File Type:MS Windows icon resource - 9 icons, 16x16, 32 bits/pixel, 24x24, 32 bits/pixel
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):174592
                                                                                                                                                                                                                                        Entropy (8bit):3.1176056240139736
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:URqHi9xDnRbDPi6ag9rucqkerzUCgIMSfZHqdefc8+YZ9:SqmpD66h9lqkerzgIPfF+efc+
                                                                                                                                                                                                                                        MD5:AF1C23B1E641E56B3DE26F5F643EB7D9
                                                                                                                                                                                                                                        SHA1:6C23DEB9B7B0C930533FDBEEA0863173D99CF323
                                                                                                                                                                                                                                        SHA-256:0D3A05E1B06403F2130A6E827B1982D2AF0495CDD42DEB180CA0CE4F20DB5058
                                                                                                                                                                                                                                        SHA-512:0C503EC7E83A5BFD59EC8CCC80F6C54412263AFD24835B8B4272A79C440A0C106875B5C3B9A521A937F0615EB4F112D1D6826948AD5FB6FD173C5C51CB7168F4
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:............ .h............. ......... .... .........00.... ..%......@@.... .(B...D..HH.... ..T......``.... ............... .(....p........ ..1..Vx..(....... ..... .............................................RRR....n...........e???'..................................................................q...................................................................y....................pppQ...........WWWC........vvvF...........```8............................1116................YYYC...........}.........................................................................................................................................................888,................1116.........................|Z....b...........5551........NNN3...........sssM.....................................................................................0.................................6....................{{{Mzzz....2...W...................M...6.......................0..............X...&...........#~~

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\vi-VN\RavStub.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\mrybn0ui.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):13312
                                                                                                                                                                                                                                        Entropy (8bit):5.077342736848736
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Pp4EAT1bY2bx1CxHdO35YFInizzX83tNeRFYMvF2MJ3s8V:gblbzC5jmtNeRN2w3s8V
                                                                                                                                                                                                                                        MD5:258B536A66A461FA66BF1B22A828FEF7
                                                                                                                                                                                                                                        SHA1:05AC6CDAA5308E494C864C6A52D429B53B7B03C4
                                                                                                                                                                                                                                        SHA-256:48A343D29F16AD2DF477AEE852853BA87618A939412C47E22B186DD9E6FE2797
                                                                                                                                                                                                                                        SHA-512:E4DA0439162BEF082F106FF47724C6677EB8E643C2D3484C181BD3CCDFE99E3B9D8016F24105176E35C33273E1AAF656BF1BC2393701E081F55C4CA06C0EABB2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...h.-e...........!.....*..........NI... ...`....... ....................................@..................................H..S....`............................................................................... ............... ..H............text...T)... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............2..............@..B................0I......H........E..P...........P ..U%..........................................Q%.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....V.......PADPADP.%z............u.$+.l.....o*.G...4...*.!.L...0N....._).......85.[JF.13U.y.....(.w.N.....<..sxU./.h.L.......=:.lc...?Z....!.....V......rk.L...\.....T...=.i..)..].....D..b..`............)...s..%'..JA*......>.$.:.%

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\mrybn0ui.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):9728
                                                                                                                                                                                                                                        Entropy (8bit):4.701646036890297
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:HWWNv/jzSEhtiBbSEmfO2mdqeCtzEc6yCPVDA1L5rxg0XWr:H1NvbcbSEm22mdqet+wh25rxg0XWr
                                                                                                                                                                                                                                        MD5:3CEFEC17BAAC089C54C8102A4CFD160C
                                                                                                                                                                                                                                        SHA1:A54CD9BD4181A591937A99BE88BEB006279837DE
                                                                                                                                                                                                                                        SHA-256:AAFBE48966DBC5372A308AB9501245CE261D2715F336AD1908C799D354C981A2
                                                                                                                                                                                                                                        SHA-512:2D45193662C7CE2854CE2D3EE53AE199E094D09BC76D8D8A8E36B24EA60400A5F064CA16CE0078FE6CBDF4117C22565C04E47B99CD99868254C915DB6D18700F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b...........!.................8... ...@....... ...................................@..................................8..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......$..............@..B.................8......H........3............... ......P ......................................%h...P...y.7....ON(..U.~vT]h.e9dfp*1...oDL..1.M..6.Ku...^5....RE.')f.$......{...mcc......E...g.l.Z.q..M..@._D.{...,...S....................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\zh-CN\RavStub.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\mrybn0ui.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):11776
                                                                                                                                                                                                                                        Entropy (8bit):5.083912292143303
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:hIYXbXbaQGf0wwrCwYxzJSKqdy6eY5R6Q3Pyt7g0mY3IC1wx+bDqhbXpVuieenTj:hRbXbaQixwYxzJSKqdy6eY5Rt/A7c+hY
                                                                                                                                                                                                                                        MD5:4D014BB25F1423430572433E7CEF9AC9
                                                                                                                                                                                                                                        SHA1:F6EE46387D8EF7505BC39DFDC43172951E85E3BE
                                                                                                                                                                                                                                        SHA-256:A363D4E4940E7243F0D19C2E4BEADC06E545B9B33D3D12B485B2FF8D6954E767
                                                                                                                                                                                                                                        SHA-512:41B3265945340D7BF7BB8E757612990FD2F93B94DBC2992BBC404CFA233AEFC872068DE5E717D43C34D211313B5238E9160EDFF63399A8BF1BD9C3E93246DFFC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...h.-e...........!.....$...........B... ...`....... ....................................@.................................DB..W....`............................................................................... ............... ..H............text...."... ...$.................. ..`.rsrc........`.......&..............@..@.reloc...............,..............@..B.................B......H........>..P...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....V.......PADPADP.%z............u.$+.l.....o*.G...4...*.!.L...0N....._).......85.[JF.13U.y.....(.w.N.....<..sxU./.h.L.......=:.lc...?Z....!.....V......rk.L...\.....T...=.i..)..].....D..b..`............)...s..%'..JA*......>.$.:.%

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\zh-Hant\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\mrybn0ui.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):9728
                                                                                                                                                                                                                                        Entropy (8bit):4.728551774224484
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:JWWNv/jzSEhtimYtEq40uI7Sr2fqmxkNeo7R7L7c7xM757odHK9nPol1f5rxg0Xq:J1NvbOtEq40uYSatEdHwWloA9Pk5rxgJ
                                                                                                                                                                                                                                        MD5:833F269BA6F0C34F49273DA7FBD7DCE7
                                                                                                                                                                                                                                        SHA1:D0253D322DCDF7F54E37C7E8911A8B77670D2967
                                                                                                                                                                                                                                        SHA-256:F8C769A357E6CD27452835E5288FE515FB50BFEEC83EF3969975171174B467E5
                                                                                                                                                                                                                                        SHA-512:4FA315E23D985AFFB46F6536CDF2DDC1B882F47098EE2D5A4B954DDEEB8904D1C83182B1598E4948A59728339945307B699A147ECD813C0F91986D95BDC57184
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b...........!.................8... ...@....... ....................................@..................................8..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......$..............@..B.................8......H........3............... ......P ......................................gh....R.xns+....2..b]...c........W|..C.....\*.~w.?.....%...M.}..K?.`.Y.0%U..........I.:f...p.EB.....]O]..4Sy'.D4N..................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\zh-TW\RavStub.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\mrybn0ui.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):11776
                                                                                                                                                                                                                                        Entropy (8bit):5.070760818054194
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:BIY26Y9TGjEWVWxzJS9gSKiLHQhcScP/yggS2w3tWGPO4JRy0ty6WGbdIY9MAFXh:Bw6Y9TEVWxzJS9gSKiLwhcSSqgwmMGxJ
                                                                                                                                                                                                                                        MD5:F6743DFCDCE11D9A4715DA9A755EB8F1
                                                                                                                                                                                                                                        SHA1:B0FAE08687CBEF60BD68B8BAA5C0AD34C5DEEC78
                                                                                                                                                                                                                                        SHA-256:5AC7A5CF8841161701E33C27859269A9DA61C8C6A9184F3E0E9441B6E6FE5D23
                                                                                                                                                                                                                                        SHA-512:EE486E82D51C3FA717AC99052CAB52D8BEB179E81119EF05C383C8A64E3AA844DCA3710373A619F7971D2A3FA52E54F93D5DFE1DFE077326AB860F8144817D4C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...h.-e...........!.....$..........~B... ...`....... ....................................@.................................$B..W....`............................................................................... ............... ..H............text...."... ...$.................. ..`.rsrc........`.......&..............@..@.reloc...............,..............@..B................`B......H........>..P...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....V.......PADPADP.%z............u.$+.l.....o*.G...4...*.!.L...0N....._).......85.[JF.13U.y.....(.w.N.....<..sxU./.h.L.......=:.lc...?Z....!.....V......rk.L...\.....T...=.i..)..].....D..b..`............)...s..%'..JA*......>.$.:.%

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsd3554.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):82106818
                                                                                                                                                                                                                                        Entropy (8bit):6.797993626415827
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1572864:8YmpxfBGqc6nHyT/iDR6HMYYfz6p+Oc3jCKNU:01Hc6SaFfCL
                                                                                                                                                                                                                                        MD5:845B221D4B007AF98B10666E5B1A28C3
                                                                                                                                                                                                                                        SHA1:F0B2FE62C9EC83D9BB624A0E1A32D5256C633512
                                                                                                                                                                                                                                        SHA-256:B8970569D12B6BBD90640142F3BE98FBCA63963D8A859DAC060C14494695D4C1
                                                                                                                                                                                                                                        SHA-512:1917C92E9A768D3F7C9BC1AD29B98052DDA354D5061ACC99573FCAE7489AD5B1331717C2597DF25C2AE605D673BAFE2A24222CE1C101F7EB34A1BB68D8394823
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:HL......,.......l........l..w....=.......,.......L......................................................"...........v.......Q...6...............................................................................................................................................................................................C...............................................f.......D...S...^.......#...................%...................f......._...n...y.......#...................%...................h.......z...............#.......................................................................................................g.......................#.......................................j.......................#...........................~...................................}....................................................... .......#.......|...........................................|...........................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BcNsisHelper.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3208704
                                                                                                                                                                                                                                        Entropy (8bit):6.634373076953411
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:98304:mEyWp/rW6xmOscLWpzDVuzDn8HKF2UfoEvlzbTpY:mKpccL1PF2Ufxba
                                                                                                                                                                                                                                        MD5:48B932FF8C977E3991E959F824883AD5
                                                                                                                                                                                                                                        SHA1:6E1BBF12BE0BABAC3EC6E30487AE0A66950E6B8E
                                                                                                                                                                                                                                        SHA-256:764F9A8F8388D73AAB366D24645A49AE055318DB1F4FD88636E2B3A61AE95987
                                                                                                                                                                                                                                        SHA-512:777875B3237442437BC3D9DF558F8D23825B618CF04BC07D3B8DD42A72A8FE09AFA20E6B31791FFA86A12B22D7395D419B250313306C41EE854AE62BC1FD9498
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.........$..J..J..J.c....J.c.....J.c.....J.r.O...J.....J.....J......J..K...J...N...J...I..J...O...J.r.C..J.r.J..J.r....J....J.r.H..J.Rich.J.........................PE..L.....a...........!.....`$.........XV.......p$...............................1.....................................0.,.x.....,.T.... ...B...................p..x.....*.8.....................*.....8.*.@............p$.P............................text...._$......`$................. ..`.rdata.......p$......d$.............@..@.data...`....0-.......-.............@....rsrc....B... ...D....-.............@..@.reloc..x....p........-.............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BcNsisHelperXP.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):141824
                                                                                                                                                                                                                                        Entropy (8bit):6.259166846082307
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:bjhPruBXUUxQvlfseJLtqfAg0Fuj9OMpTGpfD:nhjNUxW6AOHeD
                                                                                                                                                                                                                                        MD5:378AE59FFAECECAC8627A35B42C74147
                                                                                                                                                                                                                                        SHA1:BCFBE797416322662C2776F96E87BF217430F557
                                                                                                                                                                                                                                        SHA-256:003EFD5E26C4E0338FB11B823D424F1C499C16391961C185F5F9A9FC71E56F82
                                                                                                                                                                                                                                        SHA-512:105067A1AD250E8876715C8717FADE20D79575A5C594DC1899015979CFAF4A5AA8F983ACC73BBE23A953A962A1C4AA4955F2DD586AA3BB3A9D59C50D95345662
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?#..{ByJ{ByJ{ByJ..JuByJ..J.ByJ..JfByJh$zKnByJh$|KNByJh$}KdByJr:.JvByJ{BxJ.ByJ:%|KsByJ:%yKzByJ:%.JzByJ{B.JzByJ:%{KzByJRich{ByJ........PE..L...R.\[...........!.........8.......J.......................................p..........................................x...h...........XA...................P..P... ...............................@...@............................................text...B........................... ..`.rdata..............................@..@.data...............................@....rsrc...XA.......B..................@..@.reloc..P....P......................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitCometService.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2682920
                                                                                                                                                                                                                                        Entropy (8bit):6.8309434037236505
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:k8NtOFS+g/q2/1upBe3ytP4VKpHThGZ7aM0KB4JRwTckxs8sLZ:k8NV/qloC6VKPGhB4Jz
                                                                                                                                                                                                                                        MD5:AE7FBFF183FF30913EBEB38913E8CFAD
                                                                                                                                                                                                                                        SHA1:545CF38E47318185E168F04A733C2E0B13119C21
                                                                                                                                                                                                                                        SHA-256:F366F293905BE928918AD30A020FD369E139F64FADD4CEDFF9F9FA1E663E9065
                                                                                                                                                                                                                                        SHA-512:BAF9D4EF6C607A15DC203321E3412043B446776F4E364EFDB856F804E889853BEBEEA8EA98B319ECA468E2EE8E305050205CB19F280C33427E39967E4CA9FFBA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.........)..zG..zG..zG...B..zG..zG..zG.I.C..{G.X..zG.X.ZzG.X..zG...D..zG.I.B..zG...B.kzG...C..zG.....zG.....zG..zF..{G.I.N..zG.I....zG..z..zG.I.E..zG.Rich.zG.................PE..L.....a.................L..........G}.......`....@..........................P)......N)......................................Q'...... (...............(.($...0(......h&......................h&..... h&.@............`...............................text....K.......L.................. ..`.rdata..T....`.......P..............@..@.data........p'..P...X'.............@....rsrc........ (.......'.............@..@.reloc.......0(.......'.............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):83256
                                                                                                                                                                                                                                        Entropy (8bit):6.101042810707695
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:tCRIsR6gNFbzfv9i6Ix3RWCS35BrxOhG4ZcvblF:/sR9NFbzABxgCSkhG4ZcP
                                                                                                                                                                                                                                        MD5:EDB96675541D0275C42096B64D794D3B
                                                                                                                                                                                                                                        SHA1:D722C55EC62DA1866A6EF81072970117B85CF290
                                                                                                                                                                                                                                        SHA-256:842DF63767CACB7AEDB75FB352C1505D518662E2E9DCA5A297515EBDAE093918
                                                                                                                                                                                                                                        SHA-512:5C7C2E848C68F6168035DBFB834D31586D0CA1ABB16F220C617F9E36A87B6D4FF0A1AEF03A73D5313D8962C9BEFB1BDF3ED2A700EE3668DF948EC067E2B1D124
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........COs..Os..Os..h...Fs..h...^s...|..Ns...|..@s..Os...s..h...Ds..h...Ns..h...Ns..RichOs..................PE..L...3.dI.....................P...................@..........................0....../................................................................0..8...............................................@............................................text............................... ..`.rdata........... ..................@..@.data...0...........................@....rsrc............ ..................@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsj3575.tmp\System.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):11776
                                                                                                                                                                                                                                        Entropy (8bit):5.890541747176257
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:X24sihno0bW+l97H4GB7QDs91kMtwtobTr4u+QHbazMNHT7dmNIEr:m8vJl97JeoxtN/r3z7YV
                                                                                                                                                                                                                                        MD5:75ED96254FBF894E42058062B4B4F0D1
                                                                                                                                                                                                                                        SHA1:996503F1383B49021EB3427BC28D13B5BBD11977
                                                                                                                                                                                                                                        SHA-256:A632D74332B3F08F834C732A103DAFEB09A540823A2217CA7F49159755E8F1D7
                                                                                                                                                                                                                                        SHA-512:58174896DB81D481947B8745DAFE3A02C150F3938BB4543256E8CCE1145154E016D481DF9FE68DAC6D48407C62CBE20753320EBD5FE5E84806D07CE78E0EB0C4
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr*.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L.....oZ...........!..... ...........).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...x....@.......(..............@....reloc..~....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsj3575.tmp\firefoxextension.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1022
                                                                                                                                                                                                                                        Entropy (8bit):3.4987034854146972
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:QTzyegmh3hFPvC6yffCHC6ywiCclC6yGCA/uwK60wwXYUC65wK60wTCa:kWEhxFPvcCcw0lcs/uwSwywSw1
                                                                                                                                                                                                                                        MD5:DAA9B5DD2DE4F31D67C473518E0B5F27
                                                                                                                                                                                                                                        SHA1:834A8CEB5C4553DD18A40C7768A2134D4E1A44E4
                                                                                                                                                                                                                                        SHA-256:FCAA7249D9E038DFF7A327DE52987EC9C4F14E640F747F9163C274508876C5BF
                                                                                                                                                                                                                                        SHA-512:F8A7241D6CB7C9D972862EC32FD6C7719836CB6B7E61B3B15CDBBADD7E90F1C9879575F30995939F611DBE6307FB8D66ED758B539DE1FA8D6A2297037D2C7F8C
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:..;. .I.n.i. .f.i.l.e. .g.e.n.e.r.a.t.e.d. .b.y. .t.h.e. .H.M. .N.I.S. .E.d.i.t. .I.O. .d.e.s.i.g.n.e.r.......[.S.e.t.t.i.n.g.s.].....N.u.m.F.i.e.l.d.s.=.5.........[.F.i.e.l.d. .1.].....T.y.p.e.=.L.a.b.e.l.....T.e.x.t.=.L.a.b.e.l.....L.e.f.t.=.3.5.....R.i.g.h.t.=.2.6.5.....T.o.p.=.1.5.....B.o.t.t.o.m.=.2.3.........[.F.i.e.l.d. .2.].....T.y.p.e.=.L.a.b.e.l.....T.e.x.t.=.L.a.b.e.l.....L.e.f.t.=.3.5.....R.i.g.h.t.=.2.6.5.....T.o.p.=.2.4.....B.o.t.t.o.m.=.4.5.........[.F.i.e.l.d. .3.].....T.y.p.e.=.L.a.b.e.l.....T.e.x.t.=.L.a.b.e.l.....L.e.f.t.=.3.5.....R.i.g.h.t.=.2.6.5.....T.o.p.=.5.0.....B.o.t.t.o.m.=.8.5.........[.F.i.e.l.d. .4.].....T.y.p.e.=.R.a.d.i.o.B.u.t.t.o.n.....T.e.x.t.=.R.a.d.i.o.B.u.t.t.o.n.....S.t.a.t.e.=.1.....F.l.a.g.s.=.G.R.O.U.P.....L.e.f.t.=.3.5.....R.i.g.h.t.=.3.0.0.....T.o.p.=.8.9.....B.o.t.t.o.m.=.1.0.0.........[.F.i.e.l.d. .5.].....T.y.p.e.=.R.a.d.i.o.B.u.t.t.o.n.....T.e.x.t.=.R.a.d.i.o.B.u.t.t.o.n.....L.e.f.t.=.3.5.....R.i.g.h.t.=.3.0.0.....T.o.p.=.1.1.0.....B.o.t.

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsj3575.tmp\http_Downloader.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1113088
                                                                                                                                                                                                                                        Entropy (8bit):6.605073214827898
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:lJGAfbL/zinmJsPil8CXKZ7VHxSIQokA5OKQmwBg7MdtKTAPK:3GKzihPfCYRS2Z5ImQqMdgTAPK
                                                                                                                                                                                                                                        MD5:B57D15325636150EB138DA1AC7387524
                                                                                                                                                                                                                                        SHA1:93E69B7281955E9F24253E2D2ACCEEB1281DF567
                                                                                                                                                                                                                                        SHA-256:45FFC3DFC4F922AC5E461B54627F1A6407AE681C545D70DBEBDD18095933D886
                                                                                                                                                                                                                                        SHA-512:919D3DF10953CB305BAF29A3C20B55CB8D97D98CCCA8EF5A23924552D8C8C0692A00726BE09379D2E847B8899C6C351CE1D4705F0F6DC8B07C99C92B745D2FD4
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L..F..c...c...c...c...c...../.c.....[.c......c.......c...b...c.....G.c.......c.......c.Rich..c.........PE..L...\#mQ.....................\....................@.................................om.......................................q..x....p...#..................................................@...........@............................................text............................... ..`.rdata..b...........................@..@.data............b...t..............@....tls.........`......................@....rsrc....#...p...$..................@..@................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nslA035.tmp\ArchiveUtilityx64.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):153976
                                                                                                                                                                                                                                        Entropy (8bit):6.331457760426863
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:DAZpz3eQkXBlJ6pM91zgrn4oul5ntwcfsOct7BjWSP8B:DAvzD6l0+1grn4otBWSUB
                                                                                                                                                                                                                                        MD5:3351152F6EE87E97682A0A7C459EF614
                                                                                                                                                                                                                                        SHA1:5312F9DA67FCFD573DC5E45F6A7CC35FA463AF89
                                                                                                                                                                                                                                        SHA-256:6E2673687BA029074657F0D1C4410691EE013EFF2223D0C7695DFE4F70C62F1C
                                                                                                                                                                                                                                        SHA-512:2B7ECB22746BF907AE4DA891E170226DA4F180ADE27E41A16E1EF9E11F39E5E35B9EAC3FCFFF520DBB8A8888A1DBD1CA2459AB58CE8DC44A424C5DE7B8132DE6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........1.]._.]._.]._...\.X._...Z..._...[.W._...Z.B._...[.S._...\.T._...^.^._.].^..._.7.[.M._...V._._..._.\._.....\._...].\._.Rich]._.................PE..d...:.-e.........." .....T..........0...............................................*.....`......................................... ...T...t...(............P.......$..x5......P.......p...............................8............p..`............................text...`R.......T.................. ..`.rdata..p....p.......X..............@..@.data...P<..........................@....pdata.......P......................@..@_RDATA.......p......................@..@.rsrc...............................@..@.reloc..P...........................@..B........................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nslA035.tmp\Microsoft.Win32.TaskScheduler.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):349856
                                                                                                                                                                                                                                        Entropy (8bit):6.2160026026399855
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:81sSJApTSnQU/x0ImhuDzHfs4zbYOjujDRfygDgKQINXLLHIaKlay8weCycJ5Dfk:81sSmRIt/xhtsOju1DH5NXnIKAc4NU
                                                                                                                                                                                                                                        MD5:A09DECC59B2C2F715563BB035EE4241E
                                                                                                                                                                                                                                        SHA1:C84F5E2E0F71FEEF437CF173AFEB13FE525A0FEA
                                                                                                                                                                                                                                        SHA-256:6B8F51508240AF3B07A8D0B2DC873CEDC3D5D9CB25E57EA1D55626742D1F9149
                                                                                                                                                                                                                                        SHA-512:1992C8E1F7E37A58BBF486F76D1320DA8E1757D6296C8A7631F35BA2E376DE215C65000612364C91508AA3DDF72841F6B823FA60A2B29415A07C74C2E830212B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..._O............" ..0..............-... ...@....... ..............................X.....`.................................0-..O....@...................>...`......(,..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................d-......H............V..........`...H....+........................................{....*..{....*V.(......}......}....*...0..A........u2.......4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. ..<. )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q5....5...-.&.+...5...o.....%..{.......%q6....6...-.&.+...6...o.....(....*..{....*..{....*..{....*r.(......}......}......}....*..0..Y........u7.......L.,G(.....{.....{....o....,/(.....{.....{....o....

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nslA035.tmp\RAVEndPointProtection-installer.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):552592
                                                                                                                                                                                                                                        Entropy (8bit):6.677913386734197
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:vZtZVgIQtZM1A0+Nwhq3drt0ZAPKYZzrOZW4mlKhl:vZf661A0ue8lCZAPHZzrOZW4mlol
                                                                                                                                                                                                                                        MD5:41A3C2A1777527A41DDD747072EE3EFD
                                                                                                                                                                                                                                        SHA1:44B70207D0883EC1848C3C65C57D8C14FD70E2C3
                                                                                                                                                                                                                                        SHA-256:8592BAE7B6806E5B30A80892004A7B79F645A16C0F1B85B4B8DF809BDB6CF365
                                                                                                                                                                                                                                        SHA-512:14DF28CC7769CF78B24AB331BD63DA896131A2F0FBB29B10199016AEF935D376493E937874EB94FAF52B06A98E1678A5CF2C2D0D442C31297A9C0996205ED869
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....r7..........."...0..l.............. ........@.. ...............................<....`.....................................O.......H............&...H...`..........8............................................ ............... ..H............text....j... ...l.................. ..`.rsrc...H............n..............@..@.reloc.......`.......$..............@..B........................H.......d<...a..........@................................................0................(....s....%r...po....s.........~....o....%{...........s....(....t....}....~....o....%{...........s....(....t....}....~....o....%{...........s....(....t5...}....~....o....%{ ..........s....(....t....} ...~....o....%{!..........s"...(....t....}!.......~....o#.....E............'...9...........o...........8....~....o$...s ....~....o$...s.....+h~....o$...s.....+V~....o$...s.....~....o%...~...

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nslA035.tmp\System.Data.SQLite.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):371672
                                                                                                                                                                                                                                        Entropy (8bit):6.117467840486005
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:7ruNWxFaLx73+nRo2GGmZ2CRGpAM3JUGuT5up6zOPLyU0SJFNFaFeFOFwcGF6cmb:GNWx6xz+nRo2GGWHQZMaLyJSJFNFaFeQ
                                                                                                                                                                                                                                        MD5:42E6E9081EDD7A49C4103292725B68E2
                                                                                                                                                                                                                                        SHA1:62F73C44EE1ABA1F7684B684108FE3B0332E6E66
                                                                                                                                                                                                                                        SHA-256:788450452B0459C83E13DA4DD32F6217BFB53A83BD5F04B539000B61D24FD049
                                                                                                                                                                                                                                        SHA-512:99EAB89BF6297FDA549C0B882C097CD4B59FD0595FF2D0C40D1767F66FA45172CA5B9693DBF650D7103353F1E1FB8E5259BBCDE3DFA286DEE098533A4A776E8B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.].........." ..0..b..........j.... ........... ....................................`.....................................O.......$............l...?...........~............................................... ............... ..H............text....a... ...b.................. ..`.rsrc...$............d..............@..@.reloc...............j..............@..B................L.......H...............................`~......................................:.(:.....}....*..{....*:.(:.....}....*..{....*...0...........~;...}.....r...p}........(......~;...(<...,r.....s....}.......}............{............%......(=....%...:....%...!....%...%.........%....%.........s....(....*z.{....,......(=...o>...s?...z*..0..'........{....-..(......o........(A.....}.....*..................0..T........{....,K.{....o@....+...(A......(B.....,..o;.....(C...-...........oD.....{..

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nslA035.tmp\System.ValueTuple.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):75576
                                                                                                                                                                                                                                        Entropy (8bit):6.015125829078427
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:f784YWau8lqubx6WxXLA+o2SLFyEdux136ytgHo0AuresehSAU9bP8F9x/:f7NV8v36tI0XCKAmbP8x
                                                                                                                                                                                                                                        MD5:29E6AE1A1AF7FC943752A097EC59C59C
                                                                                                                                                                                                                                        SHA1:6D5C910C0B9A3E0876E2E2BBBCE9B663F9EDC436
                                                                                                                                                                                                                                        SHA-256:CC9BF1FEEAB1D76221508D6CC98E8BDC1603D5C600C5ED09C108E31B8BD3A6A2
                                                                                                                                                                                                                                        SHA-512:CC6D55E5FD23C89D73ECBDDFA92C102F47F8FB93F2F6A41D2E79708E6A8D7C13C1961DCD07810DB3135D2F8DDCBF3535FB3EA3D1FC31C617CA9B10F6B867F9A5
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`............@.....................................O.... ..P...............81...@......x................................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H......................................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nslA035.tmp\cs-CZ\RavStub.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12288
                                                                                                                                                                                                                                        Entropy (8bit):4.881167538031942
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:lIY1pQ8vGO4xToxMi5eX2zUA8rYgLIgPrEyz23tMuuVWJkYUECd1Vl7Iru+M3YVO:l3pQ8vQToxMi5emzUA8rYgLIOrnz8uuI
                                                                                                                                                                                                                                        MD5:EE2E523BBFB65E138B64EAFD223DE12E
                                                                                                                                                                                                                                        SHA1:7F3FB82A3F6643963C0F4F2903F35389EE3AB775
                                                                                                                                                                                                                                        SHA-256:2B2BE36B51272B6F0117A40320AC48CD0E415AFE2EF4FBA3AF06A7EC166A949D
                                                                                                                                                                                                                                        SHA-512:2DAAA1BB06DDFAAC09328D06E239A9C518B7D3F462BA4C075D7DF71A23BBD7255C75C2A5B28B8238919FBF587C704E35580BB3533CE5730BC21A561AC8441490
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f.-e...........!.....&..........>E... ...`....... ....................................@..................................D..O....`............................................................................... ............... ..H............text...D%... ...&.................. ..`.rsrc........`.......(..............@..@.reloc..............................@..B................ E......H........A..P...........P ..J!..........................................F!.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....V.......PADPADP.%z............u.$+.l.....o*.G...4...*.!.L...0N....._).......85.[JF.13U.y.....(.w.N.....<..sxU./.h.L.......=:.lc...?Z....!.....V......rk.L...\.....T...=.i..)..].....D..b..`............)...s..%'..JA*......>.$.:.%

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nslA035.tmp\da-DK\RavStub.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12288
                                                                                                                                                                                                                                        Entropy (8bit):4.747406513994599
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:hIYRN3EsGGj3fvKEx8rUrb+M0lIVixNPqDGomU3WUeQoXjAUwMXrAfeMA7AWmBHl:hXN3EsVfvVx8rUrb+M0lIVixNqiomyJx
                                                                                                                                                                                                                                        MD5:F2317FEF5CDCE4A19E6E7216DAA0624C
                                                                                                                                                                                                                                        SHA1:BDB39EA1300B158FCD76204ADD8F9F1F7EA0F2E9
                                                                                                                                                                                                                                        SHA-256:DA0E42EDF577C58CB729C8925860AFEC61E95CC355B40EFD8FA61993766733AF
                                                                                                                                                                                                                                        SHA-512:B7A16F4BB5E20D2FB1FF76991BC3C917E65BAA60507676845E1BBFC68D800CC061AF97D325B67DC1A2AEEC02FDB289BB8BB716270A7C2044B3993B326556985D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f.-e...........!.....&...........E... ...`....... ....................................@..................................D..O....`............................................................................... ............... ..H............text...4%... ...&.................. ..`.rsrc........`.......(..............@..@.reloc..............................@..B.................E......H........A..P...........P ..<!..........................................8!.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....V.......PADPADP.%z............u.$+.l.....o*.G...4...*.!.L...0N....._).......85.[JF.13U.y.....(.w.N.....<..sxU./.h.L.......=:.lc...?Z....!.....V......rk.L...\.....T...=.i..)..].....D..b..`............)...s..%'..JA*......>.$.:.%

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nslA035.tmp\de-DE\RavStub.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12800
                                                                                                                                                                                                                                        Entropy (8bit):4.758980695953914
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:s5rayxOPAxMtzTxCmf6hC/s2TvOFk6AOPh3+yFdmyndZ3s8i:hPAKtnHOdvPhO2dmyndZ3s8i
                                                                                                                                                                                                                                        MD5:9804DD2DCCDEC91872FBAD3EDA445C64
                                                                                                                                                                                                                                        SHA1:5689B6214C5BF0205AB7CBF437E4E2ABEBDEEEEF
                                                                                                                                                                                                                                        SHA-256:4F45EF000DBEC7C4E8FC8AD12F32538515711B78F593F5BC650026C43B6F9A66
                                                                                                                                                                                                                                        SHA-512:74C30DF986733898481A1ABE11C492476A524ECD06BA3B6020333F2C7D1B9961563ABE92E2B1413AF9DBF5C05FDB17B1B16763FC0419D2F95C8717D1F3EAC6E1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f.-e...........!.....(...........F... ...`....... ....................................@..................................F..W....`............................................................................... ............... ..H............text....&... ...(.................. ..`.rsrc........`.......*..............@..@.reloc...............0..............@..B.................F......H.......4C..P...........P ..."...........................................".............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....V.......PADPADP.%z............u.$+.l.....o*.G...4...*.!.L...0N....._).......85.[JF.13U.y.....(.w.N.....<..sxU./.h.L.......=:.lc...?Z....!.....V......rk.L...\.....T...=.i..)..].....D..b..`............)...s..%'..JA*......>.$.:.%

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nslA035.tmp\de\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):9728
                                                                                                                                                                                                                                        Entropy (8bit):4.557060180794725
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:0MiWWNv/jzSENtqcadVl8PandjJUf7ZJSqSi/ufP/1S5rxg0XWr:0D1Nvb5adVl8P2djJMZJSGu3A5rxg0Xq
                                                                                                                                                                                                                                        MD5:F83D720B236576C7D1F9F55D3BB988F9
                                                                                                                                                                                                                                        SHA1:105A4993E92646B5DBB50518187ABE07CA473276
                                                                                                                                                                                                                                        SHA-256:6909A1C134D0285FBA2422A40EA0E65C1F0CA3C3EF2B94A1166015AF2A87780F
                                                                                                                                                                                                                                        SHA-512:FD8A464F2BC9D5B6C2EFA80348C3A9362F7473D4D632B2ADDAD8C272E8874E7E67C15B99B67E6515906B86D01D57CD42F9F0F1E9251C0AF93A9391CCC30E3202
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b...........!.................9... ...@....... ..............................-E....@..................................9..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......$..............@..B.................9......H........4............... ......P .......................................z..).........*SE.1r.2K58\p.`1....SJ..G.f0d.W.oQY....&1+E..z..:@.n@........S.XEp=C... T.q.l....S.Kg....%..l..._...0..'.+................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nslA035.tmp\el-GR\RavStub.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15360
                                                                                                                                                                                                                                        Entropy (8bit):4.985998121932066
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:+npUcW/WJsxvxwKW9iu6Wxtp701zA27r+PMvozTX3s8o:8Js5xEGzfOPMvMb3s8o
                                                                                                                                                                                                                                        MD5:85B95BE9A2FBAE4A187277A3FBB337AD
                                                                                                                                                                                                                                        SHA1:9508C5FB5554E3792813D1710D9D244072A87A7D
                                                                                                                                                                                                                                        SHA-256:DA24D2E2396EEF6FBB6E775A16EE87F1E4CA4AFEC25563AD43D4026F5A091E25
                                                                                                                                                                                                                                        SHA-512:A9380494FA34EC315CC46D7EB5D5EDB7A9F6F483BFD8D8935E915DDA98215236147E81FFD36464625B2EA4513A094DD51C512B5487FD8790E148F0D455C1348B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f.-e...........!.....2...........P... ...`....... ....................................@..................................P..S....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............:..............@..B.................P......H.......HM..P...........P ...,...........................................,.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....V.......PADPADP.%z............u.$+.l.....o*.G...4...*.!.L...0N....._).......85.[JF.13U.y.....(.w.N.....<..sxU./.h.L.......=:.lc...?Z....!.....V......rk.L...\.....T...=.i..)..].....D..b..`............)...s..%'..JA*......>.$.:.%

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nslA035.tmp\es-ES\RavStub.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12288
                                                                                                                                                                                                                                        Entropy (8bit):4.714734931607904
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:KIYVmGe/VGuDqni6wxCjfp3DocEs5dMvGPcDonP33TewxlhiYwEHU4dIyrokBD7l:KuGe/V0ni6wxCjfpzocEs5dMvkcDqPDz
                                                                                                                                                                                                                                        MD5:8E236AD6A968F834EC829B984B362304
                                                                                                                                                                                                                                        SHA1:719425A2CD4D6AE97A42034A095D1EBA25E6C2F2
                                                                                                                                                                                                                                        SHA-256:27EF93D50BFA2053AF7C6A765204EE3E22C2D18123FA07ED453F3C8A45949C5E
                                                                                                                                                                                                                                        SHA-512:FB54EF07D6C0C565685EE8C628219D6E7F0A4AB0BBD4AE1738ADDD1FD459F90BE1A015C9BEED5937266DEC6E0FFEB3E6A728BFB38030D3E96A84863F0EA1B0CB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f.-e...........!.....&...........E... ...`....... ....................................@..................................D..W....`............................................................................... ............... ..H............text....%... ...&.................. ..`.rsrc........`.......(..............@..@.reloc..............................@..B.................D......H.......dA..P...........P ...!...........................................!.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....V.......PADPADP.%z............u.$+.l.....o*.G...4...*.!.L...0N....._).......85.[JF.13U.y.....(.w.N.....<..sxU./.h.L.......=:.lc...?Z....!.....V......rk.L...\.....T...=.i..)..].....D..b..`............)...s..%'..JA*......>.$.:.%

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nslA035.tmp\es\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):10240
                                                                                                                                                                                                                                        Entropy (8bit):4.425694157692337
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:r0WWNv/jzSEStoC1vxx6hUltfxx+BE00cUnAP9115rxg0XWr:r01NvbGVxx6hUltfxgE00cLF5rxg0XWr
                                                                                                                                                                                                                                        MD5:15DB634B70D6D9D6CD41BAAE3F02EB14
                                                                                                                                                                                                                                        SHA1:1456FFE09DF896271A746F9CB40A230F188AD397
                                                                                                                                                                                                                                        SHA-256:E893C6907DA8D68C03B1A10E68B554AD5A8C0533F15912106F32E925F2BEABF0
                                                                                                                                                                                                                                        SHA-512:1230E5368D4DAB9776D57056993669327E95FE72E262EFA541ED5D43ABC1BCD3618DB13B6BD6B3A27DA053C103E3FB647EAE759CCAEB443F7D9FFD1ECAA1122B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b...........!................n:... ...@....... ..............................pi....@................................. :..K....@.......................`....................................................... ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`.......&..............@..B................P:......H.......,5............... ..\...P .......................................2M.. ,.,]...).].....@.l..~.u.....Oz.B.{~*;.......6\..s..$_BZS.b..x.S....-..g.......Jr...{...E..F...s..sa.p.eS....X..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nslA035.tmp\fi-FI\RavStub.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12288
                                                                                                                                                                                                                                        Entropy (8bit):4.724387918625746
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:IxIYXkNcDGwgTsxJoRxAM2+9Ul/laxRe+PE8v+GA3kr29zrJzfPWCiqxskBbHUiH:IxRkNcDtxJMxAM2+9Ul/laxRe8ZGGWgC
                                                                                                                                                                                                                                        MD5:314FF54C08F9C461D7D5F01849E98A26
                                                                                                                                                                                                                                        SHA1:2344D2E9596A2A49F2950ED71E58C4413CCDF3CB
                                                                                                                                                                                                                                        SHA-256:1F0C64E62D5583AB132EEEF816CBB119C5EA436656CEC96CCDC2BEF4DCCC46AC
                                                                                                                                                                                                                                        SHA-512:433EF0D73A7CFD70244AFDAB2AE401C36A1DD247472BD51280A03E428702A1AF37CBFDF54AF554D12EAB068F88F568067BCADA5C6DCF20A9AFEC6852F75A3AD3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f.-e...........!.....&...........D... ...`....... ....................................@..................................D..K....`............................................................................... ............... ..H............text....$... ...&.................. ..`.rsrc........`.......(..............@..@.reloc..............................@..B.................D......H.......@A..P...........P ... ........................................... .............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....V.......PADPADP.%z............u.$+.l.....o*.G...4...*.!.L...0N....._).......85.[JF.13U.y.....(.w.N.....<..sxU./.h.L.......=:.lc...?Z....!.....V......rk.L...\.....T...=.i..)..].....D..b..`............)...s..%'..JA*......>.$.:.%

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nslA035.tmp\fil-PH\RavStub.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):10752
                                                                                                                                                                                                                                        Entropy (8bit):4.400892179402441
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:O0Zne9hwoGBjeCipxwU6LOl+DDUbqN4PPjjDr8d30LfmJyXOhZCa2m5sml+T9lmH:O0Y9hwoEipxwU6LOl+DDUbqN4Xjz8V4q
                                                                                                                                                                                                                                        MD5:4F631AAEB5AE030730DEA6914E2D1F7D
                                                                                                                                                                                                                                        SHA1:B7067AAADF75F56EE975E7ACA675D1B8C08DC8D8
                                                                                                                                                                                                                                        SHA-256:A924B53A87704120CE886F05CD94569DEF1B6AABF201EC22C8D4CDA547988619
                                                                                                                                                                                                                                        SHA-512:4CA227913B238DB98CB866A4738F38195DC06ADBE7452D79AA077A817479E657DBF1D10E9A300BDD35D0DC6DCF72C013DF5A3D8E5C1118C09F586260C35F1003
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f.-e...........!..... ...........>... ...@....... ....................................@..................................=..O....@.......................`....................................................... ............... ..H............text...$.... ... .................. ..`.rsrc........@......."..............@..@.reloc.......`.......(..............@..B.................>......H.......x:..T...........P ..'...........................................#..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....Q.......PADPADP.%z............u.$+.l.....o*.G...4...*.!.L...0N....._).......85.[JF.13U.y.....(.w.N.....<..sxU./.h.L.......=:.lc...?Z....!.....V......rk.L...\.....T...=.i..)..]....b..`............)...s..%'..JA*......>.$.\.&...'

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nslA035.tmp\fr-FR\RavStub.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12800
                                                                                                                                                                                                                                        Entropy (8bit):4.837530219353483
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:cY0al1sBIxgyFzjXZfu14MpXrOUDlK8yXahGY7uXJ3s8D:CBImyDM5DtyXwGY7uXJ3s8D
                                                                                                                                                                                                                                        MD5:3B5352CA4CB06DAD6C6CE7F15B757810
                                                                                                                                                                                                                                        SHA1:7ECB52EC5909FC6E9DF2BF591D1A12CC33F8E842
                                                                                                                                                                                                                                        SHA-256:E59969A07F3AECC9303A8ADD6D1F36C058472342A98B1DB274A1FD8E0EF6CA74
                                                                                                                                                                                                                                        SHA-512:D808F61552F1F59080E4A027075F4BC66AFECDD78DD970FBF8DD25CFAC65BC5C619D964DD14E41A5F6209154D1EA7A5D4943FE35C12F4E0892FE1267E47DCF12
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f.-e...........!.....(...........G... ...`....... ....................................@.................................HG..S....`............................................................................... ............... ..H............text....'... ...(.................. ..`.rsrc........`.......*..............@..@.reloc...............0..............@..B.................G......H........C..P...........P ...#...........................................#.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....V.......PADPADP.%z............u.$+.l.....o*.G...4...*.!.L...0N....._).......85.[JF.13U.y.....(.w.N.....<..sxU./.h.L.......=:.lc...?Z....!.....V......rk.L...\.....T...=.i..)..].....D..b..`............)...s..%'..JA*......>.$.:.%

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nslA035.tmp\fr\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):10240
                                                                                                                                                                                                                                        Entropy (8bit):4.588569516197988
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:YWWNv/jzSEYtPpmKJiDjgmlRFI0HYZDKz/VP81g5rxg0XWr:Y1NvbdKJiDjgmlRi0HYZDMp5rxg0XWr
                                                                                                                                                                                                                                        MD5:3B4621370ADDCF4306669C9E7E45C865
                                                                                                                                                                                                                                        SHA1:EA1AB3C499E946E152C1FC4A63FA99E1F9BE94B4
                                                                                                                                                                                                                                        SHA-256:E3EE50E08124A7603BE7D996DCF596EB0D3F9C603768E86E003F7B942D7097F3
                                                                                                                                                                                                                                        SHA-512:586755F32D16AFD937BFC1FE3C52210AB815D5D4C904DE101150FA052A94BABFCBDC465669FF8C2537B782474658D7912037DDB76D8C9A8FD34715D1FE7B2857
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b...........!................^;... ...@....... ..............................1.....@..................................;..W....@.......................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc........@......................@..@.reloc.......`.......&..............@..B................@;......H........6............... ..?...P .......................................ME....P.<......I.J...Q'D........................X7..'<F..q..o.6G..M-.$.v..i.>...z..'....OV?....+.9..V........I"..9........;..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nslA035.tmp\hi-IN\RavStub.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17408
                                                                                                                                                                                                                                        Entropy (8bit):4.802041892251835
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:VME5h/2kXJsxw5w2UW4ctvHU+Th60iu2F6mKVZnCyJT2ox8mn9THjI5gE2ac753E:BXJsO57hOt9AZnttxKqz3s8Q
                                                                                                                                                                                                                                        MD5:07261269F0355CB5B8C000DA3566B6E5
                                                                                                                                                                                                                                        SHA1:891B18A58432D46C0C943239A2EBE51007F982E7
                                                                                                                                                                                                                                        SHA-256:2E56643C064050DE5F6061B8C3E507B819D28BDC952647CB8A6B966AD6E3FFBE
                                                                                                                                                                                                                                        SHA-512:2A958D567F0D95F270F9DBA7D6AE88F10279C0DA073E6F008DD2E0118324386E52875BAE4F506DBDAA0C45BD6FF1CEA70276EBE5CC22D4CAE7214FCEAFD764CE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f.-e...........!.....:...........X... ...`....... ....................................@.................................XX..S....`............................................................................... ............... ..H............text....8... ...:.................. ..`.rsrc........`.......<..............@..@.reloc...............B..............@..B.................X......H........U..P...........P ...4...........................................4.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....V.......PADPADP.%z............u.$+.l.....o*.G...4...*.!.L...0N....._).......85.[JF.13U.y.....(.w.N.....<..sxU./.h.L.......=:.lc...?Z....!.....V......rk.L...\.....T...=.i..)..].....D..b..`............)...s..%'..JA*......>.$.:.%

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nslA035.tmp\hr-HR\RavStub.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12288
                                                                                                                                                                                                                                        Entropy (8bit):4.743164798651778
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:yIYVdDpBwGpkiVlZPxZlrPy2o92kGetEQyPIlUVKC3JDsS7qSmKV/4jNni67gXWE:y1DpBwSkoZPxZlrPY92kGetEQII2oANF
                                                                                                                                                                                                                                        MD5:D43FD55D52A82BAD6C98008801D90207
                                                                                                                                                                                                                                        SHA1:50B9EE0CC11B0C29022A3B4EFD928284E846B6C8
                                                                                                                                                                                                                                        SHA-256:C6635270A0420CACB869FDE826E72E96E94636473369CFDCB09280FDDD4ECAFE
                                                                                                                                                                                                                                        SHA-512:9EFF61089B7B8156AB78D50F3BB82498C2812BE64955353A5FE4A143F96DF79620DF8911125DEC00BD124484EA00E39A4157E3F87F6EC9C9B52FA13016E17AEB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f.-e...........!.....&...........D... ...`....... ....................................@.................................hD..S....`............................................................................... ............... ..H............text....$... ...&.................. ..`.rsrc........`.......(..............@..@.reloc..............................@..B.................D......H........A..P...........P ... ........................................... .............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....V.......PADPADP.%z............u.$+.l.....o*.G...4...*.!.L...0N....._).......85.[JF.13U.y.....(.w.N.....<..sxU./.h.L.......=:.lc...?Z....!.....V......rk.L...\.....T...=.i..)..].....D..b..`............)...s..%'..JA*......>.$.:.%

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nslA035.tmp\hu-HU\RavStub.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12800
                                                                                                                                                                                                                                        Entropy (8bit):4.800749080991806
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:ndpTgTI4gNxtBqu+p5DXv00jiOKQosgcekILk0pltfU3s8Z:t4gNrBnOVlgcekILfpltc3s8Z
                                                                                                                                                                                                                                        MD5:0DEC5C4C1C673A7CA6F1E9BEF8DAA9F5
                                                                                                                                                                                                                                        SHA1:9296735372A36C4B84F98563A2661928EA586773
                                                                                                                                                                                                                                        SHA-256:E4326509EF689F63A130756228E348EB45940BA09A22212F7C826C17240E4EBA
                                                                                                                                                                                                                                        SHA-512:5ABBA62A4062697AFB673BEF5F92544619FA242BD014508A6CCF5617B40168042409E543CC2E5CCA009DC2AE342B61FBE0D4C5594C1D52B2E756302ACEB30A43
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...g.-e...........!.....(...........E... ...`....... ....................................@..................................E..K....`............................................................................... ............... ..H............text....&... ...(.................. ..`.rsrc........`.......*..............@..@.reloc...............0..............@..B.................E......H.......`B..P...........P ..."...........................................".............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....V.......PADPADP.%z............u.$+.l.....o*.G...4...*.!.L...0N....._).......85.[JF.13U.y.....(.w.N.....<..sxU./.h.L.......=:.lc...?Z....!.....V......rk.L...\.....T...=.i..)..].....D..b..`............)...s..%'..JA*......>.$.:.%

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nslA035.tmp\id-ID\RavStub.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12288
                                                                                                                                                                                                                                        Entropy (8bit):4.6818573968387645
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:sqIYIZcKqG4ny8ZxSWuwCoBWidWjZdPAhDHPBg37eXCIKKXgXruQm8X0tF8HgGCy:sqOZcKqG8ZxSWuwCoBWidWjZ9AhLJ2S4
                                                                                                                                                                                                                                        MD5:5E34215E6294D9382D0A51323F976B63
                                                                                                                                                                                                                                        SHA1:A161CB06FEE5E2669FC004178C230CACDAEA462F
                                                                                                                                                                                                                                        SHA-256:CB211A058273C109746CD00F96E0BA02D24C9CCC49315FAF036B580238F65F0E
                                                                                                                                                                                                                                        SHA-512:1B0E3D83AFD4DA4DBA5A212C02181F99E4CAE904174C587255263D52B7EC40C02E080F19646E5C0D6066F577C6E00B37DB94C980788964C4FB7C128F8E8BA139
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...g.-e...........!.....&...........D... ...`....... ....................................@.................................xD..S....`............................................................................... ............... ..H............text....$... ...&.................. ..`.rsrc........`.......(..............@..@.reloc..............................@..B.................D......H.......(A..P...........P ... ........................................... .............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....V.......PADPADP.%z............u.$+.l.....o*.G...4...*.!.L...0N....._).......85.[JF.13U.y.....(.w.N.....<..sxU./.h.L.......=:.lc...?Z....!.....V......rk.L...\.....T...=.i..)..].....D..b..`............)...s..%'..JA*......>.$.:.%

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nslA035.tmp\it-IT\RavStub.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12288
                                                                                                                                                                                                                                        Entropy (8bit):4.76812009374708
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:aIYr9kupX/Gdq8SQxZdNYobyRXvujVf9UgPw/ev3nww3OajMRD1TLIjB5leULIpI:a3kupX/GSQxZdNYBRXvujVf9UOwGvwwH
                                                                                                                                                                                                                                        MD5:441AC1C5155182D0BFDBA377A858FE74
                                                                                                                                                                                                                                        SHA1:B4DDE792E5833352CDE944BDA57C0CFD3F1C985D
                                                                                                                                                                                                                                        SHA-256:36294FB621E9D99711F4D906AFD25F2397507F0E39FD07AD646D17CB2A3B0375
                                                                                                                                                                                                                                        SHA-512:D9F81AC33E863DBA1BF03D59A739E6F3F6DCAE6836FF1F3565771475232C1D311925E2A02A60110F2B4DD902C52D38557F9B28D86CF97A2792D2A9B28FB46C99
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...g.-e...........!.....&...........E... ...`....... ....................................@..................................E..W....`............................................................................... ............... ..H............text....%... ...&.................. ..`.rsrc........`.......(..............@..@.reloc..............................@..B.................E......H.......4B..P...........P ...!...........................................!.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....V.......PADPADP.%z............u.$+.l.....o*.G...4...*.!.L...0N....._).......85.[JF.13U.y.....(.w.N.....<..sxU./.h.L.......=:.lc...?Z....!.....V......rk.L...\.....T...=.i..)..].....D..b..`............)...s..%'..JA*......>.$.:.%

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nslA035.tmp\it\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):10240
                                                                                                                                                                                                                                        Entropy (8bit):4.368637490829895
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:vOiWWNv/jzSE5tyT1TNgr1nJIhZAf/07mPD1q5rxg0XWr:v11NvbGTNgr1nJI3+07MM5rxg0XWr
                                                                                                                                                                                                                                        MD5:1C331DA4BCE2809E16913C02E385576E
                                                                                                                                                                                                                                        SHA1:CF8E71E030347749596A53D1B13B9E9583EC0527
                                                                                                                                                                                                                                        SHA-256:1D0493E38D8B3FCC7EFA4916FEA1EEA69EE6449BF435E1869C1BC3F54D4090C5
                                                                                                                                                                                                                                        SHA-512:2871119690F3DF0F244384A3F5F65FFE7CF17F1F00F6B530512AEDEB8397C9E357079E8FBA76D2A5BF6BE4E2B18E4AC1AC104EA2D29F8F40CEF6F30A905ECF83
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b...........!.................9... ...@....... ..............................GR....@..................................9..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......&..............@..B.................9......H........4............... ......P ........................................M..+..u.3...i.7.[H\G.4D..dy.*p..L.m..4.....d..dZ...m..f../.@..GXQ.. ...$..."a......-....4..pS.5`@...;.`....Q..mHBx3..w3,!................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nslA035.tmp\ja-JP\RavStub.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):13824
                                                                                                                                                                                                                                        Entropy (8bit):5.091819593877884
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:OxwAHD6CkxQdCnvRl/oRHx8asale681v/V3s8V:xCkSdK0t81vd3s8V
                                                                                                                                                                                                                                        MD5:491E0BB03970BCD681C264675E65DFB4
                                                                                                                                                                                                                                        SHA1:F4245F334C084D45DC9FF6B63ED4B50355FD6D73
                                                                                                                                                                                                                                        SHA-256:A0C4368ACE35825B6BA54D83F04E787A20BA7998EE8592FEED51787B1F053B99
                                                                                                                                                                                                                                        SHA-512:599C77E40A174BA3C0A3003B32A6AD0B1C8DD2BEEEBC977DE16EAE9C8686C77996458E89983E955C4A9DBD1C9E54EE275848A09CC2C697F575E013E6B9389886
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...g.-e...........!.....,...........J... ...`....... ....................................@..................................I..S....`............................................................................... ............... ..H............text....*... ...,.................. ..`.rsrc........`......................@..@.reloc...............4..............@..B.................I......H.......hF..P...........P ...&...........................................&.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....V.......PADPADP.%z............u.$+.l.....o*.G...4...*.!.L...0N....._).......85.[JF.13U.y.....(.w.N.....<..sxU./.h.L.......=:.lc...?Z....!.....V......rk.L...\.....T...=.i..)..].....D..b..`............)...s..%'..JA*......>.$.:.%

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nslA035.tmp\ko-KR\RavStub.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12800
                                                                                                                                                                                                                                        Entropy (8bit):5.203697308171917
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:+FWuuyUdKvx4W9SxBmJsEMGFW/uuH2LlLTDUCl9w5JHJ8/uDm3s8r:FdKv+WqV2ZLToU9wXi/uK3s8r
                                                                                                                                                                                                                                        MD5:AE60D61E47219AED36F791D067F3037A
                                                                                                                                                                                                                                        SHA1:A0C3173B5034C187F8EE05A2C2D119BD773C079F
                                                                                                                                                                                                                                        SHA-256:AFF47CAF8450AB56E3CEAD10F4C6CD746DAC2D97A745114FF9197D4C413285EB
                                                                                                                                                                                                                                        SHA-512:B98B91AC5A9ED0EA50BC9BEF999FA41A262FAE7AC228F088A7B1E56645BE5B566C0154297A1F048C5DED6A4FC438A3BA6BDCBD0965057B8879AD7FD775D603BF
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...g.-e...........!.....(...........G... ...`....... ....................................@..................................F..K....`............................................................................... ............... ..H............text...4'... ...(.................. ..`.rsrc........`.......*..............@..@.reloc...............0..............@..B.................G......H........C..P...........P ..=#..........................................9#.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....V.......PADPADP.%z............u.$+.l.....o*.G...4...*.!.L...0N....._).......85.[JF.13U.y.....(.w.N.....<..sxU./.h.L.......=:.lc...?Z....!.....V......rk.L...\.....T...=.i..)..].....D..b..`............)...s..%'..JA*......>.$.:.%

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nslA035.tmp\nb-NO\RavStub.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12288
                                                                                                                                                                                                                                        Entropy (8bit):4.693723661436578
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:DIYfsK6eGOy+v3qxh7EFBYn1p4hVYTPMPhT9CEGF3aN3MfCExO4MV09J7wcLaaEY:DZsK6epv3qxh7EFBYn1p4hVYTqhTAEGt
                                                                                                                                                                                                                                        MD5:5A6F72260B46A5D10D9C0A779A296B82
                                                                                                                                                                                                                                        SHA1:C8EA84BF62A5F28B5549902CD5E2C13021EDD3BA
                                                                                                                                                                                                                                        SHA-256:3CE83301DC7273EED3FCD302E7C3B048C86454C949E1625BF9076097A95F5C9F
                                                                                                                                                                                                                                        SHA-512:EF8FC330E14B6BC0AA78805138E797201BC4115B915F12A26F7A3A2CE87457679015EFFBABC681DA7FEA529B031EF1E5C0A2E5B688033402028513BE35B799D8
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...g.-e...........!.....&...........D... ...`....... ....................................@.................................PD..K....`............................................................................... ............... ..H............text....$... ...&.................. ..`.rsrc........`.......(..............@..@.reloc..............................@..B.................D......H........A..P...........P ... ........................................... .............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....V.......PADPADP.%z............u.$+.l.....o*.G...4...*.!.L...0N....._).......85.[JF.13U.y.....(.w.N.....<..sxU./.h.L.......=:.lc...?Z....!.....V......rk.L...\.....T...=.i..)..].....D..b..`............)...s..%'..JA*......>.$.:.%

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nslA035.tmp\nl-NL\RavStub.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12288
                                                                                                                                                                                                                                        Entropy (8bit):4.73557270770413
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:htIYBN1XfOGCvouQTxklOVw/lzyOl/dEf80gPCdmP347U9DC47aqFD37E/avkeZw:3TN1X2HQTxklOVylzyOl/dEf80OCQPAB
                                                                                                                                                                                                                                        MD5:D4A8DDF5309E7EA0A4C1EAA2B46B72FD
                                                                                                                                                                                                                                        SHA1:FEFADFBA4F8134683DD6719D0AA425B695074BF3
                                                                                                                                                                                                                                        SHA-256:B0BE52F2B312847AD47DAB37C2732837529AFEF79DD7F970F675EC2827186787
                                                                                                                                                                                                                                        SHA-512:E0547185D6B0E5C3B491E9959E2A5E1B0D95028668AE9A50D02027767B1918AFEB3755DB5B07E1B5F6EC71AF4AA4E592E73A2C5C214262E3C6117D7A0D836ABC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...g.-e...........!.....&..........^E... ...`....... ....................................@..................................E..O....`............................................................................... ............... ..H............text...d%... ...&.................. ..`.rsrc........`.......(..............@..@.reloc..............................@..B................@E......H........A..P...........P ..i!..........................................e!.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....V.......PADPADP.%z............u.$+.l.....o*.G...4...*.!.L...0N....._).......85.[JF.13U.y.....(.w.N.....<..sxU./.h.L.......=:.lc...?Z....!.....V......rk.L...\.....T...=.i..)..].....D..b..`............)...s..%'..JA*......>.$.:.%

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nslA035.tmp\pl-PL\RavStub.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12288
                                                                                                                                                                                                                                        Entropy (8bit):4.8030182107343204
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:3IYfp3DcrGr6SHAOzLxE6oMuN50rtbxn/XidPWd3SJC30Gh58xSoHR+hxWfbrVsj:3Zp3Dcr2NAcLxE6oMy50rtbxn/Xi9WdX
                                                                                                                                                                                                                                        MD5:43EEACA65E1A59D947175491EAB013F6
                                                                                                                                                                                                                                        SHA1:9E3F6EDC0BBB9E9BFBDDD4AF7DB6118A6C850671
                                                                                                                                                                                                                                        SHA-256:C21E2DC26BD0CF8591453CFBDFCC7479A74C82853E0860FEE64B653C3E7B22A4
                                                                                                                                                                                                                                        SHA-512:EAB0B44ACBDAD127682426D9FFEA0C6D76F14A9B2F8BE0284E3E54E004BB32A7766F1D382AEA3A7BFCDBBFABDB29C225A64FCEC3442D062511D3F77A5092BE7B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...g.-e...........!.....&...........D... ...`....... ....................................@.................................lD..O....`............................................................................... ............... ..H............text....$... ...&.................. ..`.rsrc........`.......(..............@..@.reloc..............................@..B.................D......H........A..P...........P ... ........................................... .............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....V.......PADPADP.%z............u.$+.l.....o*.G...4...*.!.L...0N....._).......85.[JF.13U.y.....(.w.N.....<..sxU./.h.L.......=:.lc...?Z....!.....V......rk.L...\.....T...=.i..)..].....D..b..`............)...s..%'..JA*......>.$.:.%

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nslA035.tmp\pl\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):10240
                                                                                                                                                                                                                                        Entropy (8bit):4.594776627495051
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:haWWNv/jzSEYtq2dE1cxy8ON0Qsk96sPb1V5rxg0XWr:g1NvbaG1cxy8ONHskdD5rxg0XWr
                                                                                                                                                                                                                                        MD5:B60817A69E314B22F746917C826DA53E
                                                                                                                                                                                                                                        SHA1:7D2785A6D1A53A0717C986B959AF67DE6F9300E4
                                                                                                                                                                                                                                        SHA-256:6E58D86C42B61226DD7AF35D7C9432CE6F0982D1D0D5A2F4120E8ABC5C787A02
                                                                                                                                                                                                                                        SHA-512:9A8F029329CE105B3F72FEE623E3AB8C88E1AF45F86FAB61F81BE418B2D70F83E4C0466010D312240A01E1EF8F9B9926EBF43E25BDC3C364C2D28AB9B0E5F6FC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b...........!.................;... ...@....... ............................../c....@..................................:..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......&..............@..B.................:......H........5............... ......P .......................................T`.K.%...N.f..u.........Z..1....#CTR.v....:aq.i#:Z.oAkQ:D...q.6...l....J.W.Pn.J......d........3.F..[.c....#....$.F..0...............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nslA035.tmp\pt-BR\RavStub.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12288
                                                                                                                                                                                                                                        Entropy (8bit):4.715973311068644
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:bIY1nlNKGnxGxIDx+sQ0Y4EQujHOVhPgdfBF3UTVV/Lea/FVgYISK+uZqiF4Afkq:brnlNK/xIDx+sQ0Y4EQujHOVZgdBtofc
                                                                                                                                                                                                                                        MD5:F86231C09FE30F3B630F2B066ABC0B7D
                                                                                                                                                                                                                                        SHA1:B3F8D8A213C5198F1779A589EFF3C77E181DEF72
                                                                                                                                                                                                                                        SHA-256:33938DBB2DB55BB6DF6D7671E1A57A07022E17437DEA0CDFAE79BB164CC2A372
                                                                                                                                                                                                                                        SHA-512:28FA420813634464E12A6F2F477A0C118876E455422C49749D3D503519F515B529F076A2AEFDD18CB3B0EF4ABDE229A3C4D348E5F56D098679C3107348F2DC1C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...g.-e...........!.....&...........D... ...`....... ....................................@..................................D..W....`............................................................................... ............... ..H............text....%... ...&.................. ..`.rsrc........`.......(..............@..@.reloc..............................@..B.................D......H.......TA..P...........P ...!........................................... .............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....V.......PADPADP.%z............u.$+.l.....o*.G...4...*.!.L...0N....._).......85.[JF.13U.y.....(.w.N.....<..sxU./.h.L.......=:.lc...?Z....!.....V......rk.L...\.....T...=.i..)..].....D..b..`............)...s..%'..JA*......>.$.:.%

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nslA035.tmp\pt-PT\RavStub.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12288
                                                                                                                                                                                                                                        Entropy (8bit):4.731031969686216
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:IIY1nlNKGnxOu7xKgUOVBQ6Bo19sPzPLegs8+3vCqV/LMa/FVKYIS+9wOTKQiF4O:IrnlNKNu7xKgUOVBQ6Bo19sPTLM80ao7
                                                                                                                                                                                                                                        MD5:7A0E351F6B323DD69619208A03A1B878
                                                                                                                                                                                                                                        SHA1:54CCA58C4D6E315C15D9CA76B8DE06F1F66889FA
                                                                                                                                                                                                                                        SHA-256:33C96B6F6F830BB4717956B0D89F780837389AB2AF4564F6CACCC360B2C3059B
                                                                                                                                                                                                                                        SHA-512:4F57222F9F8E76A571FB2B95839E8CF29908509DC376AE9C5553B48BE8407305CC8CD41AF55FC5913CF1BAD9B9EFB4879646D74FD9B622CA6D0220CAF0FD3382
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...g.-e...........!.....&...........E... ...`....... ....................................@..................................D..W....`............................................................................... ............... ..H............text...4%... ...&.................. ..`.rsrc........`.......(..............@..@.reloc..............................@..B.................E......H........A..P...........P ..2!...........................................!.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....V.......PADPADP.%z............u.$+.l.....o*.G...4...*.!.L...0N....._).......85.[JF.13U.y.....(.w.N.....<..sxU./.h.L.......=:.lc...?Z....!.....V......rk.L...\.....T...=.i..)..].....D..b..`............)...s..%'..JA*......>.$.:.%

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nslA035.tmp\pt\RavStub.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12288
                                                                                                                                                                                                                                        Entropy (8bit):4.72532222668886
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:sIY1nlNKGnxOu7xKgUOVBQ6Bo19sPzPLegs8+3vCqV/LMa/FVKYIS+9wOTKQiF4n:srnlNKNu7xKgUOVBQ6Bo19sPTLM80aoC
                                                                                                                                                                                                                                        MD5:D192C04626F6408AE49827C844423A97
                                                                                                                                                                                                                                        SHA1:020F0129B5F3833743FAA0D406C1B0D12F0875A6
                                                                                                                                                                                                                                        SHA-256:4B4D398CC97A2BA0B4F83E3BDA159C8B6712D7039C88C5A6E2374B6C83D296CC
                                                                                                                                                                                                                                        SHA-512:118961F9ED1196D25E311532FB533FC7D266F33192C3EBC8D62DF91DD7C1DE3B3521DD8C092049DEF5E31C36A972991FADC243B50087FFDCC61CBE0E60554425
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...g.-e...........!.....&...........E... ...`....... ....................................@..................................D..K....`............................................................................... ............... ..H............text...$%... ...&.................. ..`.rsrc........`.......(..............@..@.reloc..............................@..B.................E......H........A..L...........P ..2!...........................................!.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....V.......PADPADP.%z............u.$+.l.....o*.G...4...*.!.L...0N....._).......85.[JF.13U.y.....(.w.N.....<..sxU./.h.L.......=:.lc...?Z....!.....V......rk.L...\.....T...=.i..)..].....D..b..`............)...s..%'..JA*......>.$.:.%

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nslA035.tmp\ro-RO\RavStub.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12288
                                                                                                                                                                                                                                        Entropy (8bit):4.786221406079869
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:2xIY4puUhG9oHusJxWgAm/45t6lSertHPHrgCs324VfosqPXMdEqljSNPEinIOB5:IapuUhg7sJxWgAm/45t6lSertvHrDapm
                                                                                                                                                                                                                                        MD5:6925B8D93F81214E569AB80029AE9FFD
                                                                                                                                                                                                                                        SHA1:AD318591ACC6DBD6C34ACB8529BE01DE9C4DDE86
                                                                                                                                                                                                                                        SHA-256:6818FFC05046738148318630D550130360857BA272577563163B466A1B2EA8BF
                                                                                                                                                                                                                                        SHA-512:7492C29D630A9FA9F4AB41A96AFF08A38C0FC2EC284B92475ABF30343D5346958B5D804539602FEEFFE204A882780D391007ABF920F98849F6D65C2F514F62C3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...g.-e...........!.....&..........>E... ...`....... ....................................@..................................D..K....`............................................................................... ............... ..H............text...D%... ...&.................. ..`.rsrc........`.......(..............@..@.reloc..............................@..B................ E......H........A..P...........P ..O!..........................................K!.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....V.......PADPADP.%z............u.$+.l.....o*.G...4...*.!.L...0N....._).......85.[JF.13U.y.....(.w.N.....<..sxU./.h.L.......=:.lc...?Z....!.....V......rk.L...\.....T...=.i..)..].....D..b..`............)...s..%'..JA*......>.$.:.%

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nslA035.tmp\rsAtom.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):160120
                                                                                                                                                                                                                                        Entropy (8bit):6.406162771968354
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:n6lrh8aWSI9uVDeMWoWVy5zmndQ1dTZjxO3S/9FVkmiGUkP8f:n6lrhISL9e1oWE56ndQ19aY9FjJUf
                                                                                                                                                                                                                                        MD5:9DEBA7281D8ECEEFD760874434BD4E91
                                                                                                                                                                                                                                        SHA1:553E6C86EFDDA04BEACEE98BCEE48A0B0DBA6E75
                                                                                                                                                                                                                                        SHA-256:02A42D2403F0A61C3A52138C407B41883FA27D9128ECC885CF1D35E4EDD6D6B9
                                                                                                                                                                                                                                        SHA-512:7A82FBAC4ADE3A9A29CB877CC716BC8F51B821B533F31F5E0979F0E9ACA365B0353E93CC5352A21FBD29DF8FC0F9A2025351453032942D580B532AB16ACAA306
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Temp\nslA035.tmp\rsAtom.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................!..0..2...........P... ...`....@.. ....................................`.................................pP..K....`..T............<..x5..........0P............................................... ............... ..H............text....0... ...2.................. ..`.rsrc...T....`.......4..............@..@.reloc...............:..............@..B.................P......H........i..(...........0....U...O.......................................(....(....*....*.......*.......*.......*....0.............*.0.............*.0.............*....*....0.............*........2K........`.2........0.............*........6F.......0.............*.0.............*........MU.z.....0.............*B(....(....(....*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*....0.............*.0.............*Ad..........

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nslA035.tmp\rsDatabase.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):170464
                                                                                                                                                                                                                                        Entropy (8bit):6.477162619102264
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:/R761d9cCg9+zhOzcx9R0KvvvvnPPH6Gi5tPArrYeiYiPKiF15fJ2K/Krrii555k:U1TcpihOk0KvvvvnPPH6Gi5tPArrYeix
                                                                                                                                                                                                                                        MD5:D9CD9C6486FA53D41949420D429C59F4
                                                                                                                                                                                                                                        SHA1:784AC204D01B442EAE48D732E2F8C901346BC310
                                                                                                                                                                                                                                        SHA-256:C82540979384CDCADF878A2BD5CBE70B79C279182E2896DBDF6999BA88A342C1
                                                                                                                                                                                                                                        SHA-512:B37E365B233727B8EB11EB0520091D2ECD631D43A5969EAEB9120EBD9BEF68C224E1891DD3BAC5EC51FEB2AEE6BEC4B0736F90571B33F4AF59E73DDEE7D1E2AD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Temp\nslA035.tmp\rsDatabase.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................!..0..Z...........x... ........@.. ...............................%....`..................................w..K.......\............d...5...........w............................................... ............... ..H............text...$X... ...Z.................. ..`.rsrc...\............\..............@..@.reloc...............b..............@..B.................x......H.......|l..`...............4k...w.......................................(....(....*:+.(Nf%^.(....*..0.............*....*....0.............*.0.............*......-....;.....0.............*........VV.Q!....0.............*............!....0.............*AL......Z.......q...................j...........................................*.......*.......*.......*.......*.......*.......*.......*.......*....0.............*A4..............*...Y...............s...........!....0..........

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nslA035.tmp\rsJSON.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):223368
                                                                                                                                                                                                                                        Entropy (8bit):6.790390518378299
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:cqDOhw9PY+4Zl0ZFY9ooyUbc3Kc4dtvU:cQYLlw2cB4Y
                                                                                                                                                                                                                                        MD5:F8978087767D0006680C2EC43BDA6F34
                                                                                                                                                                                                                                        SHA1:755F1357795CB833F0F271C7C87109E719AA4F32
                                                                                                                                                                                                                                        SHA-256:221BB12D3F9B2AA40EE21D2D141A8D12E893A8EABC97A04D159AA46AECFA5D3E
                                                                                                                                                                                                                                        SHA-512:54F48C6F94659C88D947A366691FBAEF3258ED9D63858E64AE007C6F8782F90EDE5C9AB423328062C746BC4BA1E8D30887C97015A5E3E52A432A9CAA02BB6955
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Temp\nslA035.tmp\rsJSON.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....r.............!..0..&...........D... ...`....@.. .............................."<....`..................................D..K....`..D............0...8..........cD............................................... ............... ..H............text....%... ...&.................. ..`.rsrc...D....`.......(..............@..@.reloc..............................@..B.................D......H........|...............W..O....C.......................................(....(....*:+.(..4g.(....*..0.............*A...................:........0.............*B(....(....(....*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*.......*....0.............*.0.............*....*....0.............*....*....0.............*.................0.............*....

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nslA035.tmp\rsLogger.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):181376
                                                                                                                                                                                                                                        Entropy (8bit):6.535417258435186
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:40AqxqD7b0Qv6wIMCP1Yr+Xle9WQJTrz96JiBRqMadYMBpCA5LH3lP8FU:3RkD/0Q7IMCP3ePOUBRqKep5jVUFU
                                                                                                                                                                                                                                        MD5:83AD54079827E94479963BA4465A85D7
                                                                                                                                                                                                                                        SHA1:D33EFD0F5E59D1EF30C59D74772B4C43162DC6B7
                                                                                                                                                                                                                                        SHA-256:EC0A8C14A12FDF8D637408F55E6346DA1C64EFDD00CC8921F423B1A2C63D3312
                                                                                                                                                                                                                                        SHA-512:C294FB8AC2A90C6125F8674CA06593B73B884523737692AF3CCAA920851FC283A43C9E2DC928884F97B08FC8974919EC603D1AFB5C178ACD0C2EBD6746A737E1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Temp\nslA035.tmp\rsLogger.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...ky.............!..0.................. ........@.. ....................................`.................................P...K.......P................6........................................................... ............... ..H............text........ ...................... ..`.rsrc...P...........................@..@.reloc..............................@..B........................H.......ds..............."...}...........................................(....(....*:+.(...W.(|...*.".......*....0.............*.0.............*.0.............*....*.......*.......*.......*.......*....0.............*.0.............*....*....0.............*.................0.............*.................0.............*.................0.............*........00.......0.............*.................0.............*........00.......0.............*.................0.............*

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nslA035.tmp\rsStubLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):254960
                                                                                                                                                                                                                                        Entropy (8bit):6.54303667228509
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:peGOfaXMwabVZN5rGSFF5qFky5Jb74HthVqbvIy8WvewjLbqzm9iVgUz:sfacB5rJFFh5qb3bmwnliLz
                                                                                                                                                                                                                                        MD5:A16602AAD0A611D228AF718448ED7CBD
                                                                                                                                                                                                                                        SHA1:DDD9B80306860AE0B126D3E834828091C3720AC5
                                                                                                                                                                                                                                        SHA-256:A1F4BA5BB347045D36DCAAC3A917236B924C0341C7278F261109BF137DCEF95A
                                                                                                                                                                                                                                        SHA-512:305A3790A231B4C93B8B4E189E18CB6A06D20B424FD6237D32183C91E2A5C1E863096F4D1B30B73FF15C4C60AF269C4FAAADAF42687101B1B219795ABC70F511
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X............." ..0.................. ........... ...............................|....`.................................k...O.......p................9.............8............................................ ............... ..H............text....... ...................... ..`.rsrc...p...........................@..@.reloc..............................@..B........................H.......p...............|...h.............................................{ ...*..{!...*V.(".....} .....}!...*...0..A........u........4.,/(#....{ ....{ ...o$...,.(%....{!....{!...o&...*.*.*. ..f. )UU.Z(#....{ ...o'...X )UU.Z(%....{!...o(...X*...0..b........r...p......%..{ ......%q.........-.&.+.......o)....%..{!......%q.........-.&.+.......o)....(*...*...0...........(....}4....("...........s+...o".....}......}......}.......}.......}.......}.......}.......}.......}......(B....

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nslA035.tmp\rsSyncSvc.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):817096
                                                                                                                                                                                                                                        Entropy (8bit):6.484394172394775
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:1kaJoYf9Z+uUMidkp22We0cRxoJy5DPbTtsqq5dlgM7qcNmP1bGq06ZIEUKth1O7:/Jll87GY2q61llaOZBjKt5qquO
                                                                                                                                                                                                                                        MD5:DED746A9D2D7B7AFCB3ABE1A24DD3163
                                                                                                                                                                                                                                        SHA1:A074C9E981491FF566CD45B912E743BD1266C4AE
                                                                                                                                                                                                                                        SHA-256:C113072678D5FA03B02D750A5911848AB0E247C4B28CF7B152A858C4B24901B3
                                                                                                                                                                                                                                        SHA-512:2C273BF79988DF13F9DA4019F8071CF3B4480ECD814D3DF44B83958F52F49BB668DD2F568293C29EF3545018FEA15C9D5902EF88E0ECFEBAF60458333FCAA91B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......lC. ("rs("rs("rscZqr""rscZwr."rscZvr;"rszWvr8"rszWqr""rszWwrv"rscZtr)"rscZsr?"rs("ss."rs.W{r "rs.W.s)"rs(".s)"rs.Wpr)"rsRich("rs........................PE..d...x6.d.........."......\...........(.........@....................................NX....`.................................................T........`..p.......xW..."...U...p..........p...............................8............p...............................text....Z.......\.................. ..`.rdata...'...p...(...`..............@..@.data....F.......*..................@....pdata..xW.......X..................@..@_RDATA.......P......................@..@.rsrc...p....`......................@..@.reloc.......p......................@..B................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nslA035.tmp\rsTime.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):132112
                                                                                                                                                                                                                                        Entropy (8bit):6.109228741444108
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:3WGjyLgosGplJLT7AwoTFGmrY6sW5P8+G:3wgBGplJX7AHGm8AU+G
                                                                                                                                                                                                                                        MD5:F1E592A7636DF187E89B2139922C609E
                                                                                                                                                                                                                                        SHA1:301A6E257FEFAA69E41C590785222F74FDB344F8
                                                                                                                                                                                                                                        SHA-256:13CA35C619E64A912B972EB89433087CB5B44E947B22A392972D99084F214041
                                                                                                                                                                                                                                        SHA-512:E5D79A08EA2DF8D7DF0AD94362FDA692A9B91F6EDA1E769BC20088EF3C0799AEABF7EB8BD64B4813716962175E6E178B803124DC11CC7C451B6DA7F406F38815
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Temp\nslA035.tmp\rsTime.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.................!..0.................. ........@.. .......................@......yI....`.....................................K.......D................4... ......`................................................ ............... ..H............text........ ...................... ..`.rsrc...D...........................@..@.reloc....... ......................@..B........................H........Z...i...........................................................(@...(6...*.0............j*.0.................*...j*....0.................*.0.............*.0............j*.0.............*.0............j*B(@...(6...(....*...".......*...".......*......l*.......*.......*...".......*.......*....(@...(....*:+.(r.S1.(6...*..0.............*.0.............*.0..........(@...8].......E........G...R...8.... ....(....( ...o....(!........ .....9....&8....(R... ........8....*(....

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nslA035.tmp\ru-RU\RavStub.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):14336
                                                                                                                                                                                                                                        Entropy (8bit):4.9513548109773104
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:HZ2vdzqaLxW8w5/EtHjl+dbA5eI00QF7ji63s8E:paL88/sd0QF7ji63s8E
                                                                                                                                                                                                                                        MD5:A1DEBF02ECBF636E3407DA5287FF7BF2
                                                                                                                                                                                                                                        SHA1:2542F8351605030125BA48361A3CB54EA69D6BC2
                                                                                                                                                                                                                                        SHA-256:109AB83379877DB1A8177F610EC484538648FB626C191DE3824EC6FD7A3A7F8F
                                                                                                                                                                                                                                        SHA-512:53ECC815C9868828DF33B4289CF32F22B99CEB67269B9553429717C91CBF912728C4B3D7AAABD802087480B9AEC56AD8FC65FCF1FFDC8267A07217FC748DD589
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...g.-e...........!.................M... ...`....... ....................................@..................................L..S....`............................................................................... ............... ..H............text....-... ...................... ..`.rsrc........`.......0..............@..@.reloc...............6..............@..B.................L......H.......hI..P...........P ...)...........................................).............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....V.......PADPADP.%z............u.$+.l.....o*.G...4...*.!.L...0N....._).......85.[JF.13U.y.....(.w.N.....<..sxU./.h.L.......=:.lc...?Z....!.....V......rk.L...\.....T...=.i..)..].....D..b..`............)...s..%'..JA*......>.$.:.%

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nslA035.tmp\ru\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):10752
                                                                                                                                                                                                                                        Entropy (8bit):4.846136752240531
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:phbWWNv/jzSEfthb7O9JKggIOrCPPzm394in3fwB/CZPlAg1O5rxg0XWr:pN1NvbH7O9JKgglrCPChnYVC5A5rxg06
                                                                                                                                                                                                                                        MD5:DADE13E423762BDAE745D57CA3DC86EF
                                                                                                                                                                                                                                        SHA1:7B4122CBEF771C5548A7CB5641B6DB6743C8C3F6
                                                                                                                                                                                                                                        SHA-256:1A1D5FDAC027144BCAA0E8110F4DE717E80944420C59708B3DD8E2BD31BC7ED4
                                                                                                                                                                                                                                        SHA-512:77F5050BA87E8ABEB92298D16897D6CEC087FFB7B4C38442C854A0993B398DE529C15B5674ADAACFB3E39CE05165F05A38337B2DBD41E8A7D806751542F6E8D3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b...........!................~=... ...@....... ..............................>"....@.................................,=..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......(..............@..B................`=......H.......88............... ..e...P ......................................w..4.8b^b..W..i8s....oz...t..tlhp...$.8p..c....U(O'....N.w`...<".1.w....?.*.0=z`Lz5..^....O...Q.....v..z...........`;..a..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nslA035.tmp\sk-SK\RavStub.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12288
                                                                                                                                                                                                                                        Entropy (8bit):4.900358338945999
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:DIYK1uOKGEXJ7hxwUmX+41C/TUMZc/ZgPPInsYJNM3TPGdTzXpPbf+oBumIJMr2s:D41uOKl7hx9mX+41CLUMZc/ZOPVYJN6Q
                                                                                                                                                                                                                                        MD5:BC75574131447EB445EEB1232AE357B5
                                                                                                                                                                                                                                        SHA1:EC92577F6D83DFE15B77253DF3B421661E22C499
                                                                                                                                                                                                                                        SHA-256:1C44B548ECE47D3E7D9E26C1D31F0E3BDB0D3C73ACFEA688AB2CD67747EB103C
                                                                                                                                                                                                                                        SHA-512:B987DBFBDCBD4443A76EF685D36D460373AB167C79DEE2AD719B9D3F42C9D4C033188A99C8887AAF6593E17F3B3B9E8FACC9E27BF9413A65AED69F866578E1AD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...g.-e...........!.....&..........^E... ...`....... ....................................@..................................E..S....`............................................................................... ............... ..H............text...d%... ...&.................. ..`.rsrc........`.......(..............@..@.reloc..............................@..B................@E......H........A..P...........P ..f!..........................................b!.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....V.......PADPADP.%z............u.$+.l.....o*.G...4...*.!.L...0N....._).......85.[JF.13U.y.....(.w.N.....<..sxU./.h.L.......=:.lc...?Z....!.....V......rk.L...\.....T...=.i..)..].....D..b..`............)...s..%'..JA*......>.$.:.%

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nslA035.tmp\sl-SI\RavStub.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12288
                                                                                                                                                                                                                                        Entropy (8bit):4.769934969735041
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:bIYV7AGeXGfqyuMxUY+iZWBe2v3gW0dFgPaVCe1d3qTS3xH4q9OYtRwbHUWPsLZy:bTAGeXyuMxUY+iZWBei3gW0dFOaEe3CT
                                                                                                                                                                                                                                        MD5:F682F4101F06CF1B5CADBEB09DFCFE53
                                                                                                                                                                                                                                        SHA1:B390DD47FA852E9E1C3A382DA65364FC7566C4B3
                                                                                                                                                                                                                                        SHA-256:06DF84339B108E76478BE1BF35B70A7DCD4DD927FBA2BB70182173AEA8AD7640
                                                                                                                                                                                                                                        SHA-512:F1C8F25511DA1A875A6969BC744FDBE37B713BF23971FE2A6E0E8D0B36531510F6DC1D470FE6455F710E7F8633182061D96AA56EE23147278576064C11597A52
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...g.-e...........!.....&...........D... ...`....... ....................................@..................................D..W....`............................................................................... ............... ..H............text....%... ...&.................. ..`.rsrc........`.......(..............@..@.reloc..............................@..B.................D......H.......TA..P...........P ...!........................................... .............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....V.......PADPADP.%z............u.$+.l.....o*.G...4...*.!.L...0N....._).......85.[JF.13U.y.....(.w.N.....<..sxU./.h.L.......=:.lc...?Z....!.....V......rk.L...\.....T...=.i..)..].....D..b..`............)...s..%'..JA*......>.$.:.%

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nslA035.tmp\sl\RavStub.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12288
                                                                                                                                                                                                                                        Entropy (8bit):4.7678515397101044
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:QIYV7AGeXGfqyuMxUY+iZWBe2v3gW0dFgPaVCe1d3qTS3xH4q9OYtRwbHUWPsLZk:QTAGeXyuMxUY+iZWBei3gW0dFOaEe3Cp
                                                                                                                                                                                                                                        MD5:AA8990AA3D13E0E776F552DCE5B669DB
                                                                                                                                                                                                                                        SHA1:F0BABC7F79489BD143D06D683182457642EB8945
                                                                                                                                                                                                                                        SHA-256:7E0A25E82882D41B3CA99B6736238A1CCF1AF50E67240AE8D234FF6919BFEA96
                                                                                                                                                                                                                                        SHA-512:36C75251F411743FA7F15BFA6109E0CAA86D725E8F2917830B0B1C19B4FC3EAF307BB8F8CC3547F24F1143749E0AB445AE1FE908B22CB40B265590E77765C856
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...g.-e...........!.....&...........D... ...`....... ....................................@..................................D..K....`............................................................................... ............... ..H............text....$... ...&.................. ..`.rsrc........`.......(..............@..@.reloc..............................@..B.................D......H.......TA..L...........P ...!........................................... .............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....V.......PADPADP.%z............u.$+.l.....o*.G...4...*.!.L...0N....._).......85.[JF.13U.y.....(.w.N.....<..sxU./.h.L.......=:.lc...?Z....!.....V......rk.L...\.....T...=.i..)..].....D..b..`............)...s..%'..JA*......>.$.:.%

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nslA035.tmp\sv-SE\RavStub.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12288
                                                                                                                                                                                                                                        Entropy (8bit):4.727297561865419
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:BhIYShuTiGMuLj/kyxI0Nc/yGUbwMgWf2iPMXBSSky3WDeFzMShGOBZ7T3GyRKvD:BhUhuTiGj/HxI0Nc/yGUbwMgWf2YMXQR
                                                                                                                                                                                                                                        MD5:AA3066A11238CE14299004DF5F0E366A
                                                                                                                                                                                                                                        SHA1:BFC81509D815E85CFB67409979E0E2B5522381B8
                                                                                                                                                                                                                                        SHA-256:AF9F0BAD5CBF7BCCFF0F059749D9058DE4CE69FA6F7F7238DB0F24A0D237B6BE
                                                                                                                                                                                                                                        SHA-512:6EABDF452F7F8A04976C0F97A7D29DE4F411F8572556BAE55D2A6E55C600A356C5833B79C91B64C7A081F73E0A7E17063BE461B6EBED19F9CA91C1E64D8CC964
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...g.-e...........!.....&...........D... ...`....... ....................................@..................................D..K....`............................................................................... ............... ..H............text....$... ...&.................. ..`.rsrc........`.......(..............@..@.reloc..............................@..B.................D......H.......@A..P...........P ... ........................................... .............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....V.......PADPADP.%z............u.$+.l.....o*.G...4...*.!.L...0N....._).......85.[JF.13U.y.....(.w.N.....<..sxU./.h.L.......=:.lc...?Z....!.....V......rk.L...\.....T...=.i..)..].....D..b..`............)...s..%'..JA*......>.$.:.%

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nslA035.tmp\th-TH\RavStub.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16896
                                                                                                                                                                                                                                        Entropy (8bit):4.850293880518889
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:iWmNyydz3LxBD5uSw84x/d/dfwJGTV/cEJviNhsFx55n5z5OPMuQ5m5rPzzSvooy:I7LHDFGh0EJviNhsFx55n5z5OPMuQ5mD
                                                                                                                                                                                                                                        MD5:DB774C5850FF8E482E04AE26EE79EEC6
                                                                                                                                                                                                                                        SHA1:FFAE380534E984EC9A336F444351124A46D440FC
                                                                                                                                                                                                                                        SHA-256:FF46247751A2E5135FC6B510BBD51B4D1A4FB902E45A7792AFD9FAD035B52558
                                                                                                                                                                                                                                        SHA-512:7C2C15883647B64A849F4C3703C29EC121B760CCEBB3F5FAE7228CC5FFD0EEAA5F707EAD790D44154B7FC05AFFC54FB00FA1EDD0B1293543DF28CF326A8CA238
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...h.-e...........!.....8..........~W... ...`....... ....................................@.................................,W..O....`............................................................................... ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............@..............@..B................`W......H........S..P...........P ...3...........................................3.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....V.......PADPADP.%z............u.$+.l.....o*.G...4...*.!.L...0N....._).......85.[JF.13U.y.....(.w.N.....<..sxU./.h.L.......=:.lc...?Z....!.....V......rk.L...\.....T...=.i..)..].....D..b..`............)...s..%'..JA*......>.$.:.%

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nslA035.tmp\tr-TR\RavStub.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12288
                                                                                                                                                                                                                                        Entropy (8bit):4.887694928653684
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:JIY4kciiGg/kISxvnmkYsPV+tIqMvhBhPYTua1j3SfDpu6WbyLWFTXLgNzCii7oc:JKkciiwISxvnmkYsPV+tIqMvhBZYquLp
                                                                                                                                                                                                                                        MD5:F93255F24064A092A60C47999048F56F
                                                                                                                                                                                                                                        SHA1:AC07C75C7DDBD03140B5969F46C425D6EAB68B82
                                                                                                                                                                                                                                        SHA-256:DC80276C4527961A313EB2D20391F48275BC1C15035DFE1B4C859387179D6415
                                                                                                                                                                                                                                        SHA-512:68878CF0ACAFF941DF14F33688B1C5CEF448A4062D03D8D6DD477F0D4247EE416D58E801E07055BBCDCE79ACB146004D672D508C493422926685595CFA564D56
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...h.-e...........!.....&...........E... ...`....... ....................................@.................................PE..K....`............................................................................... ............... ..H............text....%... ...&.................. ..`.rsrc........`.......(..............@..@.reloc..............................@..B.................E......H........B..P...........P ...!...........................................!.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....V.......PADPADP.%z............u.$+.l.....o*.G...4...*.!.L...0N....._).......85.[JF.13U.y.....(.w.N.....<..sxU./.h.L.......=:.lc...?Z....!.....V......rk.L...\.....T...=.i..)..].....D..b..`............)...s..%'..JA*......>.$.:.%

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nslA035.tmp\uninstall-epp.ico

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exe
                                                                                                                                                                                                                                        File Type:MS Windows icon resource - 9 icons, 16x16, 32 bits/pixel, 24x24, 32 bits/pixel
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):174592
                                                                                                                                                                                                                                        Entropy (8bit):3.1176056240139736
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:URqHi9xDnRbDPi6ag9rucqkerzUCgIMSfZHqdefc8+YZ9:SqmpD66h9lqkerzgIPfF+efc+
                                                                                                                                                                                                                                        MD5:AF1C23B1E641E56B3DE26F5F643EB7D9
                                                                                                                                                                                                                                        SHA1:6C23DEB9B7B0C930533FDBEEA0863173D99CF323
                                                                                                                                                                                                                                        SHA-256:0D3A05E1B06403F2130A6E827B1982D2AF0495CDD42DEB180CA0CE4F20DB5058
                                                                                                                                                                                                                                        SHA-512:0C503EC7E83A5BFD59EC8CCC80F6C54412263AFD24835B8B4272A79C440A0C106875B5C3B9A521A937F0615EB4F112D1D6826948AD5FB6FD173C5C51CB7168F4
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:............ .h............. ......... .... .........00.... ..%......@@.... .(B...D..HH.... ..T......``.... ............... .(....p........ ..1..Vx..(....... ..... .............................................RRR....n...........e???'..................................................................q...................................................................y....................pppQ...........WWWC........vvvF...........```8............................1116................YYYC...........}.........................................................................................................................................................888,................1116.........................|Z....b...........5551........NNN3...........sssM.....................................................................................0.................................6....................{{{Mzzz....2...W...................M...6.......................0..............X...&...........#~~

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nslA035.tmp\uninstall.ico (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exe
                                                                                                                                                                                                                                        File Type:MS Windows icon resource - 9 icons, 16x16, 32 bits/pixel, 24x24, 32 bits/pixel
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):174592
                                                                                                                                                                                                                                        Entropy (8bit):3.1176056240139736
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:URqHi9xDnRbDPi6ag9rucqkerzUCgIMSfZHqdefc8+YZ9:SqmpD66h9lqkerzgIPfF+efc+
                                                                                                                                                                                                                                        MD5:AF1C23B1E641E56B3DE26F5F643EB7D9
                                                                                                                                                                                                                                        SHA1:6C23DEB9B7B0C930533FDBEEA0863173D99CF323
                                                                                                                                                                                                                                        SHA-256:0D3A05E1B06403F2130A6E827B1982D2AF0495CDD42DEB180CA0CE4F20DB5058
                                                                                                                                                                                                                                        SHA-512:0C503EC7E83A5BFD59EC8CCC80F6C54412263AFD24835B8B4272A79C440A0C106875B5C3B9A521A937F0615EB4F112D1D6826948AD5FB6FD173C5C51CB7168F4
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:............ .h............. ......... .... .........00.... ..%......@@.... .(B...D..HH.... ..T......``.... ............... .(....p........ ..1..Vx..(....... ..... .............................................RRR....n...........e???'..................................................................q...................................................................y....................pppQ...........WWWC........vvvF...........```8............................1116................YYYC...........}.........................................................................................................................................................888,................1116.........................|Z....b...........5551........NNN3...........sssM.....................................................................................0.................................6....................{{{Mzzz....2...W...................M...6.......................0..............X...&...........#~~

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nslA035.tmp\vi-VN\RavStub.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):13312
                                                                                                                                                                                                                                        Entropy (8bit):5.077342736848736
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Pp4EAT1bY2bx1CxHdO35YFInizzX83tNeRFYMvF2MJ3s8V:gblbzC5jmtNeRN2w3s8V
                                                                                                                                                                                                                                        MD5:258B536A66A461FA66BF1B22A828FEF7
                                                                                                                                                                                                                                        SHA1:05AC6CDAA5308E494C864C6A52D429B53B7B03C4
                                                                                                                                                                                                                                        SHA-256:48A343D29F16AD2DF477AEE852853BA87618A939412C47E22B186DD9E6FE2797
                                                                                                                                                                                                                                        SHA-512:E4DA0439162BEF082F106FF47724C6677EB8E643C2D3484C181BD3CCDFE99E3B9D8016F24105176E35C33273E1AAF656BF1BC2393701E081F55C4CA06C0EABB2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...h.-e...........!.....*..........NI... ...`....... ....................................@..................................H..S....`............................................................................... ............... ..H............text...T)... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............2..............@..B................0I......H........E..P...........P ..U%..........................................Q%.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....V.......PADPADP.%z............u.$+.l.....o*.G...4...*.!.L...0N....._).......85.[JF.13U.y.....(.w.N.....<..sxU./.h.L.......=:.lc...?Z....!.....V......rk.L...\.....T...=.i..)..].....D..b..`............)...s..%'..JA*......>.$.:.%

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nslA035.tmp\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):9728
                                                                                                                                                                                                                                        Entropy (8bit):4.701646036890297
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:HWWNv/jzSEhtiBbSEmfO2mdqeCtzEc6yCPVDA1L5rxg0XWr:H1NvbcbSEm22mdqet+wh25rxg0XWr
                                                                                                                                                                                                                                        MD5:3CEFEC17BAAC089C54C8102A4CFD160C
                                                                                                                                                                                                                                        SHA1:A54CD9BD4181A591937A99BE88BEB006279837DE
                                                                                                                                                                                                                                        SHA-256:AAFBE48966DBC5372A308AB9501245CE261D2715F336AD1908C799D354C981A2
                                                                                                                                                                                                                                        SHA-512:2D45193662C7CE2854CE2D3EE53AE199E094D09BC76D8D8A8E36B24EA60400A5F064CA16CE0078FE6CBDF4117C22565C04E47B99CD99868254C915DB6D18700F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b...........!.................8... ...@....... ...................................@..................................8..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......$..............@..B.................8......H........3............... ......P ......................................%h...P...y.7....ON(..U.~vT]h.e9dfp*1...oDL..1.M..6.Ku...^5....RE.')f.$......{...mcc......E...g.l.Z.q..M..@._D.{...,...S....................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nslA035.tmp\zh-CN\RavStub.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):11776
                                                                                                                                                                                                                                        Entropy (8bit):5.083912292143303
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:hIYXbXbaQGf0wwrCwYxzJSKqdy6eY5R6Q3Pyt7g0mY3IC1wx+bDqhbXpVuieenTj:hRbXbaQixwYxzJSKqdy6eY5Rt/A7c+hY
                                                                                                                                                                                                                                        MD5:4D014BB25F1423430572433E7CEF9AC9
                                                                                                                                                                                                                                        SHA1:F6EE46387D8EF7505BC39DFDC43172951E85E3BE
                                                                                                                                                                                                                                        SHA-256:A363D4E4940E7243F0D19C2E4BEADC06E545B9B33D3D12B485B2FF8D6954E767
                                                                                                                                                                                                                                        SHA-512:41B3265945340D7BF7BB8E757612990FD2F93B94DBC2992BBC404CFA233AEFC872068DE5E717D43C34D211313B5238E9160EDFF63399A8BF1BD9C3E93246DFFC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...h.-e...........!.....$...........B... ...`....... ....................................@.................................DB..W....`............................................................................... ............... ..H............text...."... ...$.................. ..`.rsrc........`.......&..............@..@.reloc...............,..............@..B.................B......H........>..P...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....V.......PADPADP.%z............u.$+.l.....o*.G...4...*.!.L...0N....._).......85.[JF.13U.y.....(.w.N.....<..sxU./.h.L.......=:.lc...?Z....!.....V......rk.L...\.....T...=.i..)..].....D..b..`............)...s..%'..JA*......>.$.:.%

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nslA035.tmp\zh-Hant\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):9728
                                                                                                                                                                                                                                        Entropy (8bit):4.728551774224484
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:JWWNv/jzSEhtimYtEq40uI7Sr2fqmxkNeo7R7L7c7xM757odHK9nPol1f5rxg0Xq:J1NvbOtEq40uYSatEdHwWloA9Pk5rxgJ
                                                                                                                                                                                                                                        MD5:833F269BA6F0C34F49273DA7FBD7DCE7
                                                                                                                                                                                                                                        SHA1:D0253D322DCDF7F54E37C7E8911A8B77670D2967
                                                                                                                                                                                                                                        SHA-256:F8C769A357E6CD27452835E5288FE515FB50BFEEC83EF3969975171174B467E5
                                                                                                                                                                                                                                        SHA-512:4FA315E23D985AFFB46F6536CDF2DDC1B882F47098EE2D5A4B954DDEEB8904D1C83182B1598E4948A59728339945307B699A147ECD813C0F91986D95BDC57184
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b...........!.................8... ...@....... ....................................@..................................8..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......$..............@..B.................8......H........3............... ......P ......................................gh....R.xns+....2..b]...c........W|..C.....\*.~w.?.....%...M.}..K?.`.Y.0%U..........I.:f...p.EB.....]O]..4Sy'.D4N..................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nslA035.tmp\zh-TW\RavStub.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):11776
                                                                                                                                                                                                                                        Entropy (8bit):5.070760818054194
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:BIY26Y9TGjEWVWxzJS9gSKiLHQhcScP/yggS2w3tWGPO4JRy0ty6WGbdIY9MAFXh:Bw6Y9TEVWxzJS9gSKiLwhcSSqgwmMGxJ
                                                                                                                                                                                                                                        MD5:F6743DFCDCE11D9A4715DA9A755EB8F1
                                                                                                                                                                                                                                        SHA1:B0FAE08687CBEF60BD68B8BAA5C0AD34C5DEEC78
                                                                                                                                                                                                                                        SHA-256:5AC7A5CF8841161701E33C27859269A9DA61C8C6A9184F3E0E9441B6E6FE5D23
                                                                                                                                                                                                                                        SHA-512:EE486E82D51C3FA717AC99052CAB52D8BEB179E81119EF05C383C8A64E3AA844DCA3710373A619F7971D2A3FA52E54F93D5DFE1DFE077326AB860F8144817D4C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...h.-e...........!.....$..........~B... ...`....... ....................................@.................................$B..W....`............................................................................... ............... ..H............text...."... ...$.................. ..`.rsrc........`.......&..............@..@.reloc...............,..............@..B................`B......H........>..P...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....V.......PADPADP.%z............u.$+.l.....o*.G...4...*.!.L...0N....._).......85.[JF.13U.y.....(.w.N.....<..sxU./.h.L.......=:.lc...?Z....!.....V......rk.L...\.....T...=.i..)..].....D..b..`............)...s..%'..JA*......>.$.:.%

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsq7AD9.tmp\System.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\mrybn0ui.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12288
                                                                                                                                                                                                                                        Entropy (8bit):5.814115788739565
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:Zjvco0qWTlt70m5Aj/lQ0sEWD/wtYbBHFNaDybC7y+XBz0QPi:FHQlt70mij/lQRv/9VMjzr
                                                                                                                                                                                                                                        MD5:CFF85C549D536F651D4FB8387F1976F2
                                                                                                                                                                                                                                        SHA1:D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E
                                                                                                                                                                                                                                        SHA-256:8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
                                                                                                                                                                                                                                        SHA-512:531D6328DAF3B86D85556016D299798FA06FEFC81604185108A342D000E203094C8C12226A12BD6E1F89B0DB501FB66F827B610D460B933BD4AB936AC2FD8A88
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr*.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L.....Oa...........!....."...........*.......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsqA005.tmp\System.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12288
                                                                                                                                                                                                                                        Entropy (8bit):5.814115788739565
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:Zjvco0qWTlt70m5Aj/lQ0sEWD/wtYbBHFNaDybC7y+XBz0QPi:FHQlt70mij/lQRv/9VMjzr
                                                                                                                                                                                                                                        MD5:CFF85C549D536F651D4FB8387F1976F2
                                                                                                                                                                                                                                        SHA1:D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E
                                                                                                                                                                                                                                        SHA-256:8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
                                                                                                                                                                                                                                        SHA-512:531D6328DAF3B86D85556016D299798FA06FEFC81604185108A342D000E203094C8C12226A12BD6E1F89B0DB501FB66F827B610D460B933BD4AB936AC2FD8A88
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr*.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L.....Oa...........!....."...........*.......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nst9B90.tmp\System.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files\ReasonLabs\EPP\Uninstall.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12288
                                                                                                                                                                                                                                        Entropy (8bit):5.814115788739565
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:Zjvco0qWTlt70m5Aj/lQ0sEWD/wtYbBHFNaDybC7y+XBz0QPi:FHQlt70mij/lQRv/9VMjzr
                                                                                                                                                                                                                                        MD5:CFF85C549D536F651D4FB8387F1976F2
                                                                                                                                                                                                                                        SHA1:D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E
                                                                                                                                                                                                                                        SHA-256:8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
                                                                                                                                                                                                                                        SHA-512:531D6328DAF3B86D85556016D299798FA06FEFC81604185108A342D000E203094C8C12226A12BD6E1F89B0DB501FB66F827B610D460B933BD4AB936AC2FD8A88
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr*.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L.....Oa...........!....."...........*.......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files\ReasonLabs\EPP\Uninstall.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1968176
                                                                                                                                                                                                                                        Entropy (8bit):7.8092639751415245
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:ndlczrfrH0aJTylWcs5IP63tFOzfitt2Yiu0:ndlcvTWlZ6IP63tifi7Lq
                                                                                                                                                                                                                                        MD5:7533BE3F2041A3C1676863FDB7822C66
                                                                                                                                                                                                                                        SHA1:F0020E1D0ABABD096BFEFCBFACB150889328A28A
                                                                                                                                                                                                                                        SHA-256:10E61ACA57FB74AC71238E8E0C9EEFB3942A646F7773BEA1B4348CAC922C9336
                                                                                                                                                                                                                                        SHA-512:33F903BB6B19A29BD09EF515977439EF6EF63EBC0640CECED61DD7D7FB35A5DEABCBA5F2F8B0A01015778E22F2AAF2050D3521B37326305E0055682B8C3E547C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L....Oa.................f...*.......4............@..................................#....@.......................................... .. ...........@....`...........................................................................................text....e.......f.................. ..`.rdata...............j..............@..@.data...8............~..............@....ndata...p...............................rsrc... .... ......................@..@................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\zhtj13rq.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1237240
                                                                                                                                                                                                                                        Entropy (8bit):7.953113012283156
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:wNc2jRzc3DQITX0TYDHwviQ0whanJTy314OUcuwwzoG4+IPg/3tFtUAy:QcqRzEQNcH0aJTylWcs5IP63tFE
                                                                                                                                                                                                                                        MD5:9D82BCEEDE22E68106F9D8A2EB9ACDCD
                                                                                                                                                                                                                                        SHA1:DE106388B9204F996979453B59ADECE1757F08FB
                                                                                                                                                                                                                                        SHA-256:D8D2627073F1FCECFCEBD7D4858D7682BF6EA1AB4CBEFE55C596D5027678CD2D
                                                                                                                                                                                                                                        SHA-512:3D55BF9E0D9F30865A05CB17655CD6507B9D9FF050952DDA6361F491148E68182DB769D2645B99D85AB17CF5FE46965641DC85413CDCFB00E1741C1F38EB24AB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L....Oa.................f...*.......4............@.......................................@.......................................... ..p...........`....Z...........................................................................................text....e.......f.................. ..`.rdata...............j..............@..@.data...8............~..............@....ndata...p...............................rsrc...p.... ......................@..@................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\BitComet\BitComet.xml

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files\BitComet\BitComet.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (5271)
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):6243
                                                                                                                                                                                                                                        Entropy (8bit):6.076052743444309
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:bpfHHoBhbsSl1DHpjCJ7HyI5apc3jfN1VdVtzJI511MOsZKhvuN9YAu6gRuWKlCJ:ZHqbsIpoWIuEjfNn6T5vY906gR7KMJ
                                                                                                                                                                                                                                        MD5:48E829CE9CC9BB83284C83492F54D217
                                                                                                                                                                                                                                        SHA1:29C4C01CC2E060D0CC1A7DB6C0B25F57BB81ED0C
                                                                                                                                                                                                                                        SHA-256:DA375CB6A4479BCF0341271BE0C664946954184552494DCA0D7432B39CF37D2F
                                                                                                                                                                                                                                        SHA-512:B3FD8BE746CC545AB35A7C4D6E3F85F1A9696F854B86F02F14B58B6773CB560E96EB04044F9B13C8393F37A889C1DA819C9B5C56B5A3E871554DB5EC285573AF
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>.<BitComet>. <Settings>. <SystemTrayHandle>67774,150</SystemTrayHandle>. <ClientInstallID>1fee37ee0638a01c7c0fab8cc0cb2070</ClientInstallID>. <LastAdCacheClearDate>19836</LastAdCacheClearDate>. <AddIEContextMenu>false</AddIEContextMenu>. <CaptureIEDownload>false</CaptureIEDownload>. <ListenPort>7319</ListenPort>. <EdListenPort>27517</EdListenPort>. <EdListenPortUdp>27517</EdListenPortUdp>. <LastAutoUpdateCheckDate>1713855189</LastAutoUpdateCheckDate>. <ServerListNew>lcuDltSibqb5I5ERTRKf4CduiSrBctZT8jmCy7WXVhlfGmogxR88eHU9L0p/pahzzk4LLCjSr/9ofRoVM0xPsYVh5t2O3sLM3b+Tg1U6tSf14vSvDQN2JSwu+B4t1J/18rbR3pHRFk+FYQ58QtPP9KQQmvofHNjUDKEG/wx2mtHdP3Ip/riZ/Gtd0+P3In/esDVmhX0XYyntEbg/yS0rOnbBpgKLcgzcFDF1b0YQm4Jfss7ggnSwnglG+WPa88GcNHXzCsi43FjadEYvxDywN1vKbSKd0jkS3Vwl9csdkz1CvC+310bwCpIX2ebfGnH2zPJY09vbLW2+uDCNBIrfsL/jpOl4AhHFxr93UIC9g6StjA5VILxuANGXBZPW205vKoRooyn6e8Gf4W6ZqfuoQHqInEG1npCb58RpjJcMUCQTr31vT1POTvJAbYR

                                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\BitComet\archive\my_history.db

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files\BitComet\BitComet.exe
                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3007006, page size 1024, file counter 4, database pages 4, cookie 0x4, schema 2, UTF-8, version-valid-for 4
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):4096
                                                                                                                                                                                                                                        Entropy (8bit):1.0590579914649472
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:HLQ4ByAGqGrVhdFTstUkLDTRrXhFkb9OkEc8ll:rfyFqGphd5siCTRrXhF68l
                                                                                                                                                                                                                                        MD5:E0F1475C12AFE4F9682E2D2ED9F38D80
                                                                                                                                                                                                                                        SHA1:12219DDA92CEA914BD67D77136E7A7B5576F2152
                                                                                                                                                                                                                                        SHA-256:7A2B11D74AD2D5773B51E22F48226590EB4DFDB539954B4E60C838D014DA4BDB
                                                                                                                                                                                                                                        SHA-512:DFB0631EEAFAA4A53AB35CBD149D745344102FFA47464A062DFC39C35C81339846611D71D49AA99F92C951FB9D404708AF99BD68DD994A61CCEA255CAE9915C0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:SQLite format 3......@ .........................................................................-........}......}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................M......mindexidx_dateMyHistory.CREATE UNIQUE INDEX idx_date on MyHistory (hash).z.......CtableMyHistoryMyHistory.CREATE TABLE MyHistory (hash CHAR(40) primary key asc,title TEXT not null,size INT not null,category TEXT,createtime INT,private INT,added_time INT,task_finished INT,save_path TEXT, hash_v2 CHAR(64), torrent_format INT)1...E...indexsqlite_autoindex_M

                                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\BitComet\archive\my_history.db-journal

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files\BitComet\BitComet.exe
                                                                                                                                                                                                                                        File Type:SQLite Rollback Journal
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1544
                                                                                                                                                                                                                                        Entropy (8bit):2.1010286089236456
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:7+tp+LV7VhdFTstUkLDTRrXhFkb9OkEc8llB:7+tp8bhd5siCTRrXhF68lX
                                                                                                                                                                                                                                        MD5:BCDEA140B12923C78EF1524BF81238CD
                                                                                                                                                                                                                                        SHA1:8BCF2DB1DE85B03884861A5B03ABCC557B0379B6
                                                                                                                                                                                                                                        SHA-256:36CF7A737D9DD725C61E06772C5F0935D8CFFBA4B9DFC21B81E15476EC1863DB
                                                                                                                                                                                                                                        SHA-512:C779D8452947C84BB868A31C29DB6672536A1233910009636B2E229BD5ED6E8094BA0B1049FFFA35623D18F4ACF87942E06371DEA5F37A4886CD3C01F7402BBD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.... .c.....:~......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................SQLite format 3......@ .........................................................................-..................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\BitComet\cache\post_info.db

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files\BitComet\BitComet.exe
                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3007006, page size 1024, file counter 2, database pages 4, cookie 0x2, schema 1, UTF-8, version-valid-for 2
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):4096
                                                                                                                                                                                                                                        Entropy (8bit):0.97656941552763
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:HLG06RJB6LGqPRBmnEHOR/0FqFB89wBQJLdyQ8wsQKXwVh:r0FbqPQEuD8wB8LdyQl8Xw
                                                                                                                                                                                                                                        MD5:02F01CD119BBA40C635BA49995B465B1
                                                                                                                                                                                                                                        SHA1:AEDED21F5B475DAA006FFEF2FA2E5B2C0669566C
                                                                                                                                                                                                                                        SHA-256:F274381F54DC33B8B619F08F99CBF09A81B8813AD7C701467E18B3AD85A9B13D
                                                                                                                                                                                                                                        SHA-512:32AE540C35DF723264BA937D2A4CEC3A96ED8363BB9AF891A1A50D60F421EA39E4CB7842C6919D652221D17898CB72CCC9A06447062BCA9463764CCC9AC4B674
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:SQLite format 3......@ .........................................................................-.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N......qindexidx_datetaskinfo.CREATE UNIQUE INDEX idx_date on taskinfo (task_id).a........tabletaskinfotaskinfo.CREATE TABLE taskinfo (task_id char(56) primary key asc,expire_time_utc datetime not null,posts int not null,rating smallint not null,votes int not null,snapshot int not null,popular int not null)/...C...indexsqlite_autoindex

                                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\BitComet\cache\post_info.db-journal

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files\BitComet\BitComet.exe
                                                                                                                                                                                                                                        File Type:SQLite Rollback Journal
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1544
                                                                                                                                                                                                                                        Entropy (8bit):1.8938229691379207
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:7+tN4m+LiuF0n/l5EHOR/0FqFB89wBQJLdyQ8wsQKXwVhG:7+tN/8iuw5EuD8wB8LdyQl8Xw2
                                                                                                                                                                                                                                        MD5:43C119E48A44D01E1BA6853F0A08A525
                                                                                                                                                                                                                                        SHA1:F0CF3B63E96C157AA372B3AC3943DD1CF27725BD
                                                                                                                                                                                                                                        SHA-256:9552B8AEF885DA52898D12C0C75251DEEA5DB38D7C8BFE41D2F44D01B9B76581
                                                                                                                                                                                                                                        SHA-512:59265FF7F9924A09047C4B39137FE431BE78CCD0F94B9F63D70CD0609F9E3A52833715BC64CE1BFA6220AAB9F179C1F5C8039D3000DC23F1C527DF8C652A838A
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.... .c.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................SQLite format 3......@ .........................................................................-..................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\BitComet\fav\HowTo-AddYourSite.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2102
                                                                                                                                                                                                                                        Entropy (8bit):3.7114563807036225
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:tVoUAcEEhNy5E2/zouWe807ZUJbDOEjydnsmM4QJ0QMlX1ZvwTfI41zZ0:tuUAcEEhI5E2/zouWe807ZUJbqEjydnn
                                                                                                                                                                                                                                        MD5:BCB8FCFD9F2895DBA661D9D6A2C7E104
                                                                                                                                                                                                                                        SHA1:2022C57946DD3C6061F1340E09069F0601EB8668
                                                                                                                                                                                                                                        SHA-256:64977EE1C99F4F74FD196814736745E30D23D57A0E9F40AE80DA9AC4061C5F78
                                                                                                                                                                                                                                        SHA-512:01680C5D380AD8F226E359627B2A1B8412FEE43E0301BA35AF224EAA31E6CA92BF3FB0B86E22EF95F242ECF63D4C3865D1BDDD99709A22B6920D2C1D8FFC6586
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:if you would like, you may add your favourite site in your language to fav/fav_xx_xx.xml file, and mail yours to bitcomet@yahoo.com.... Language -> Favourite File Name..==================================================..Albanian -> fav_sq.xml..Arabic -> fav_ar.xml..Basque -> fav_eu.xml..Bosnian -> fav_bs.xml..Bulgarian -> fav_bg.xml..Catalan -> fav_ca.xml..Chinese (Simplified) -> fav_zh_CN.xml..Chinese (Traditional) -> fav_zh_TW.xml..Croatian -> fav_hr.xml..Czech -> fav_cs.xml..Danish -> fav_da.xml..Dutch -> fav_nl.xml..English -> fav_en_US.xml..Estonian -> fav_et.xml..Finnish -> fav_fi.xml..French -> fav_fr.xml..Galician -> fav_gl.xml..Germ

                                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\BitComet\fav\download-complete.wav

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 8 bit, mono 22050 Hz
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):24637
                                                                                                                                                                                                                                        Entropy (8bit):3.5384978461622847
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:VBUP1MtsT0rT7ulrrruuiH2aFCuuuuuouuuuuuuQ:VEpArT7ulrrruuiH2aFCuuuuuouuuuuC
                                                                                                                                                                                                                                        MD5:8980AFEA02E229237A12725D4671F5C4
                                                                                                                                                                                                                                        SHA1:2845431B8FDD8A228C1D52E11D95CCA96E9455A7
                                                                                                                                                                                                                                        SHA-256:3DCF2568E492A62F91C6C9BBCFD7F1A12AA272FCA37B2A7EC7D68AD40BD462B8
                                                                                                                                                                                                                                        SHA-512:381F5B9E31AEB6CE5162C0DAC392E9A14D4996A21A483C647344EB23893C45F60D388550237E1D879D470ACCD9F0FC844DA7878A14E8D5A9955510B76E4FF133
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:RIFF5`..WAVEfmt ........"V.."V......data.`..}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}{xv...oQ]...yU[}..ab...\Bb..wOa...k@I}..fZ...l?K...e\...o<?t..wd...o@E{..wk...hBU...ok...`?Z...m]~..b@\...mRr..bD_...rNd..eMh...hPn..`Ru...YOu.._T{...POx..bR}..|HEu..lY~..xB>n..w^~..uCBt..}cw..xDDy...W`...LGx...V[..zLL....SU...OP....OU..{QX...rFT...UX...sEO...^Y...n@O...eU~..qCN...gY...dAY..._U...hAU...iSx..gE_..._U..._Eh...Z]...OM~..wOa...QL|..{O\...PS...oI_...PO...uL^..~R\...dIi..vL\...bIj..rMf...ZFn..rMd...\Cf..{Rb...XEl..xRe...SDo..zSc...RFs..|Ra...TFr..}R`...RIw..~OX...YFn...RS..._Hl...RO...bIk...RN}..gLk...QO...hLm...NP...eLl...NN...jLh...OO...kKg...RN~..lKe...RM~..mKc...SN~..oI`...UM{..pJ`...UM}..oI_...VM{..qI]...XLx..rJ\...XLx..sJ\...YKv..uL\...\Lu..uL\...[Ku..vKZ...\Jr..xLX...]Ir..yLX..._Iq..zMW...^Io..{NV...`Jo..}NU...aJn..}OU...bJl..~OU...bIk...OT...dJk...QT...eIi...PR...fIh...QQ...gIh...RQ...hIf...RO...hIe...SO...kId...TN...lIb...UO~..kJb...UM

                                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\BitComet\fav\embed_bcfs.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):44574
                                                                                                                                                                                                                                        Entropy (8bit):7.993583474935827
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:768:9yyESZ8/ADofafP0oqU/jIRx4K7cmP0j0p/Ch2/6RBA6G5AUEg/+z4V/vXxrx/Lf:UyESZ8/ADdMBU/jIXF7LA0pGJRCDtEFI
                                                                                                                                                                                                                                        MD5:1456A3A00888B3546106577143BAF1B4
                                                                                                                                                                                                                                        SHA1:AD15A91CB105B5D0ABB41E479082BE94E566B85B
                                                                                                                                                                                                                                        SHA-256:2F116A7431EF22C544EDC1F7151895C095E0D23C261717779AACCE50C274F92D
                                                                                                                                                                                                                                        SHA-512:B78D84A759200F100CC3F779CA06CA2D173D85DED018FE5DFD34B71649A83EF5A2908DE447F0B4B991260E2B1B4625B01005A2E927FAB47289818B7FB1612BB4
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK........EVpVf........Q......assets/index-0ce97892.css..Yo.D._a.*5hm|.9....$.......{..:..A........H...C.'........L..[m.6+8[....&{0...8.6Y.....Z~...j..U...._.Y.G..fIV..(xZ}...`...[ZA.....}uH.$N....n_..._..|s.Wf..*.A.K]..o..!....aV..u[..[.....89...,..4K^.[V....:ff...7..}...}...R.3.....}...6Y...y....00..5g..q....c|..Yg..?B............V...m.{<l.....zc..<......4+.Ar.d.9...N.4]E....N........FY..ri['.8..M.......*......#.aV.U...:..8..eU..S.N{..]...~..>....N.e. .}!....p....U....K...l..,..n....9......Y..!g.~..|6..:....O...(.3.I....%.2.p1..(D.E....{.Zk..~8.`..#..9.5p]......l..geL..<.)....x.^..A....&(9.Aj.....V...0'...C.[.>...b.NZ...W..&A^..p..@=eq.....jWdu.`z.V.......mI...B>g.s.<..... .0R.#...*`!na..BI[....9._4~....R...!.~V....@*.+1j...;.8...h.<...E.`...+.X.,....n..B1WA]e.Y.`........ .....v.c.\..j%...)..<NM)....}.....)=....J.J..<..{3.nAq+...:,....9&&...lc..u.dA$y...r.v.......Dq.'.q..%h..7.$Yx.k.U.E.."6.<l_.m..as..@9....3....O.F. f..;.npv.....<.]...u

                                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\BitComet\fav\embed_bcfs_full.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):44917
                                                                                                                                                                                                                                        Entropy (8bit):7.9926926144744455
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:768:xjGH8i/nwu9VzeW7QaTh899kmwwpD+0clV9MUHAHitDnJzarsHciw3NCyAXGZHdJ:xav/nwi5T9Yubwvcr9MUHUitDn9ysHcD
                                                                                                                                                                                                                                        MD5:8679541496E183BAECF4B68D10BECD6B
                                                                                                                                                                                                                                        SHA1:7A20A53636D6B2D1DAAFB41E08526FEEB43DDCD1
                                                                                                                                                                                                                                        SHA-256:034CFB415E84B49013EDA926BC562F76B5C36DE2A7E6E7C8622690B2BC595B4C
                                                                                                                                                                                                                                        SHA-512:5A242AE65D7B104AD33634D129B22AFBA6F0F3C6AF38CA84300A9670E691DC2C0357023B3A88E68107FBE57EC89F8203370C8CEAEF8B997743FA8E43FA13DDFA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK........F..W8.#Y...}.......assets/index-2f1e175b.js.].s...+......7.F.v.$>.;Nb.Ui...P.JR..[...vqRr^....... .X,......|X.E...."..gu<*......I-.2IOA;K.o.S..CZ..t...u...fEYW~:hO..<.3T..Q;.KY..;..@.S=+..lW...rq*39..r'._Po}...4u..4.Ta7.w...uB.._U...._=.>....i..3..q{x.f#.@;t.3.Xt..H......S'..d..|88z....h.xnB..2..e.).....x..E.-Q..RJ$.a...Y..<hp.eW!.Y.I.ZN.^ln..{...PT.i,.R.."K.\.f.pV.R....EU.e:Is.../0.#..&Y.....1n..0..d;Z{3.|1-.....nG+..0.B.....b.$,`.....Z.t......4.cY..Q..c.E.\....2..6.....94....,.E..N5.RP.h.L...=.[..e..d>......a./...%`0.R.@`.V.:u...nR. ..L....-..A..[^.K.g.>.....O].@..KQ.c..ao..ot[.o....4..._\...,..K.U..G.._gK~...\...Y..n.k...\../a....#+....|..J..._.._......W..!.....M.Y...(2.n....,.`.{..2._....z.k...k&..6H..l]v.2...q..6.D..v..X.<.$h...B.......g*.....!.......v..v,6..4#2.WT...[.. k._gX^..V.b&E.e...tZ.fe...4/n.,...EZM......W....y.h.Y.c.\g..Z.6T...||d......).+.OOF(.u.k.#B..#.... .S..O..E...z..a....Q..t..B|W...H...<.<.W,8...AZ}.....;..

                                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\BitComet\fav\embed_bcsp.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):67932
                                                                                                                                                                                                                                        Entropy (8bit):7.993759003642842
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:1536:ZTAoQpBCvRAkPu9BL8KEoOl/Cz4/r+MVc93E5rYT:Zk9BCvSkPSN83ll/n+MaixYT
                                                                                                                                                                                                                                        MD5:65EE73374475CE1FA2BB13EDBB8BF1E1
                                                                                                                                                                                                                                        SHA1:DE3459AEF1F1585BEDE131AA27746E8649E33BEB
                                                                                                                                                                                                                                        SHA-256:4929DA5C79350F943CD566B90B6F3B7875BCACAF98A9A51E79BFAD89802658B2
                                                                                                                                                                                                                                        SHA-512:AFA4DA8ECD64164A46CA8A6502FDCB7AA55CC6F213F17360EAE7281E0F3B90FD10BD807BB081D53EE7159D80208C3EBBA07AD80B9C8F3ED37AA3242657B590DF
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK...........V.%.......\......assets/index-3eb59835.css..Yo.D._a.*5`.;W.G ..@..@< ...{..:...6X.33{..E.)...Y....3.kz+.Nsfz..dy.J..".5J6.*.C.[.Y..(,..#.E...W.q.JP..i..U..........U>A........m...8J..e.f[z.=[ZOl...V.K.Y~.sU..qn.....*..a...J...........^.Y...V..hm...d;..L...Y.`~..<|...Q.sx...mRf|...m.J...........U..8.....0.w@.l....H. 9.......%9.P....U..o#..;b../.......^..;?>..p_..|.%... .d.l..m^s..IA.#.V....=...*............-}.,Hs.....x..4.,Y.<..u....N........q.+....._.X........dS7..\..C...|X...]ff9.;..K.......}.5<[.M....5K.......i.F...W....@!..#..]<...R..e.C.:..s.wn.E.\WY.z7..T..."...,.!....h.....&.V~....V.@.......D.chb..#f5./..$...50...y...zbFIV.f...<.2..gAi"a?g~S....!9..,.c...3?.1R9.#...[..#..G.Q....>c.........l..vQ.FZ<F.....y......p.I(.E#e>..&2......(b..*r`.N.....U..d..6.A.!..[?L...Y.n..>.q.......s.%......m.....1{.k...=.u..8\..t...y.8{n..I4\.OLHE... .WY.......h......a_.Q.......P....4x..JKf....f/...\G...'...a.h.0.z..b.aIXk...*6w,.j...E>.!KU.3...

                                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\BitComet\fav\embed_bcxt.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):59284
                                                                                                                                                                                                                                        Entropy (8bit):7.995077148269018
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:1536:OE/z9k630A9PpdbC63uiNG2D+a93AvjAvlp4wjGE07ySrDreIERjBR:z9f3VDui02D+s3dj0bZERdR
                                                                                                                                                                                                                                        MD5:71177CAD5DF18CC2CFEF61BA03602474
                                                                                                                                                                                                                                        SHA1:F836EE14957BC75ED4006501926419571751D695
                                                                                                                                                                                                                                        SHA-256:60B859744F4C3011C5093D6DC1D1E9DB04964E89CBA6134CC0A659661AE28DB3
                                                                                                                                                                                                                                        SHA-512:053DA12833CD1CABB282D2C4A005AA7443DEE4DD9EE960C392BEF21223CAB99CC5CBDAFF1D87BC64DC044992B19D6EE73E586E5AF76486257657561CD398B71C
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK........`.TV...u.....\......assets/index-0200434c.css..Y..4._.@+}AIh.c..@....<.x@.=...M..cwKT~;...."....3.x<........t......y.N..".=J..:.C...Y...QX...l..!.~..Q(AA....TyN..s.8v&.....%%t....;..}\.QB......w...~.....K.T2~.M._..........%Y#....j...<.....W.].....G..8.%..Ud.$.bjs...pr.-.~..0...nSj....}.N.........b|G+j}.G$...........)#m.../...{.{........:.........J.*.@.,a{.?I.=...4<.{.o....).(....q....x. ...V...[7{:..:....}.s..1}k...i........4.,i.:..s..g..nf...nQ....+....^..[.w'R..VQ.i...D@...1HCj.C.}fe9.;..O...H@.....~...m.....&qj.....y.....&ZS>..(......."...s..X...5.Mn.E.\WY.z;..[.6.K.......|....3-.m.G.._...!.Z..a.{.v.9..h..C...>bZ..".........$+./....PO.(..J.r..Uf..4(-F..4e.H...!.m...w.V){F.y...H...V.`....0.D..sy..G..V.r.6%. .}T.....%@*.>..Z....8...p..0..DF{..|r.=.&.."...*.2}R..@V....le.}....#.....x,...}.-.H.c.....8....^.s!V.k.v..gB.D4.W.{;.l@p..eO..8..i.....1..<p..)..o..G.Q.^T{P.C.FE....G.H..5_.ip.[....c+....v......N..H.:.:am....tK......Ul.iR.lv<....4U.GN.

                                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\BitComet\fav\fav_en_us.xml

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1329
                                                                                                                                                                                                                                        Entropy (8bit):5.020282734796359
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:2dF/mGMnIqYCXyR+4/j5IVbRGr00bhR/ZaxUHzNLJnxIHBUXjXR9v:c1mGMnZtXSdj54c00b0Ulahiv
                                                                                                                                                                                                                                        MD5:D5261EED2AD6A3D575A41AD04D2A642E
                                                                                                                                                                                                                                        SHA1:60078784E7461174527A76F4ED5347E2C52389D9
                                                                                                                                                                                                                                        SHA-256:7FFC245B285B07D908EE24DBE0861D97BCBC5529F513A8BBDE4E5AB318D6BA74
                                                                                                                                                                                                                                        SHA-512:3C1011137729EF6E121F1E1CE241CF045ECB4467A77AA3CE12EDEC271CCD1193F989CBCE3F298ED62358AE08799765CDED9ECA204B90CA77D3507185348DF8A5
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<BitComet Author="RnySmile" Version="0.1">...<Favourite>....<WebSite expend="true" display="Torrent Sites" infotip="Browse Torrents Sites...">.....<torrents type="url" value="https://thepiratebay.org/" display="The Pirate Bay" infotip="" />.....<torrents type="url" value="http://www.torrentroom.com/" display="Torrent Room" infotip="" />.....<torrents type="url" value="http://www.torrentbar.com/" display="Torrent Bar" infotip="" />........<torrents type="url" value="https://www.demonoid.pw" display="Demonoid" infotip="" />.....<torrents type="url" value="http://www.sumotorrent.com/" display="SUMO Torrent" infotip="" />.....<torrents type="url" value="http://www.btmon.com/" display="BTMon" infotip="" />....</WebSite>...</Favourite>...<SearchToolbar>....<PirateBay title="ThePirateBay" link="https://thepiratebay.org/" html="http://www.bitcomet.com/client/redir/?https://thepiratebay.org/search/${QUERY}" />....<TorrentRoom title="TorrentRoom" link="htt

                                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\BitComet\fav\fav_ja.xml

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1686
                                                                                                                                                                                                                                        Entropy (8bit):5.341532937920971
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:c1mGMnZtXSdj5x4wpWRp7K8c00b0Ulah1:zztRp44L
                                                                                                                                                                                                                                        MD5:5117FCC505C388208F77D733D372E988
                                                                                                                                                                                                                                        SHA1:78DBA00D3554940BC8DE3A24E7D11CC0332902E6
                                                                                                                                                                                                                                        SHA-256:F736CED207698F75A8EFEF131A43204B6144A8C9DABF430F988B6F379899697E
                                                                                                                                                                                                                                        SHA-512:27B8AFD559EEBF033FB96A735333AF215DA71FF9D86E5AC58D0F99964D2726C3BFAF856221C6E7BB355882635FF66AB5EA3FEF498B1C3C2277C491E891885CCF
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<BitComet Author="RnySmile" Version="0.1">...<Favourite>....<WebSite expend="true" display="Torrent Sites" infotip="Browse Torrents Sites...">.....<torrents type="url" value="https://thepiratebay.org/" display="The Pirate Bay" infotip="" />.....<torrents type="url" value="http://www.torrentroom.com/" display="Torrent Room" infotip="" />.....<torrents type="url" value="http://www.torrentbar.com/" display="Torrent Bar" infotip="" />........<torrents type="url" value="https://www.demonoid.pw" display="Demonoid" infotip="" />.....<torrents type="url" value="http://www.sumotorrent.com/" display="SUMO Torrent" infotip="" />.....<torrents type="url" value="http://www.btmon.com/" display="BTMon" infotip="" />....</WebSite>....<HomePage expend="true" icon="4" display="BitComet ......" infotip="BitComet...............">.....<BitCometHomePage type="url" value="http://www.bitcomet.com/" display=".........

                                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\BitComet\fav\fav_zh_cn.xml

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):255
                                                                                                                                                                                                                                        Entropy (8bit):5.406511758752926
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:JiMVBdYwoObVVgOnN04TNI4xKRQWYRJ4yhuG7ixKRQ:MMHdFb/ceC4MR0buG75RQ
                                                                                                                                                                                                                                        MD5:9AD69127D67064E26875DBE67648A9AB
                                                                                                                                                                                                                                        SHA1:7B32A8E84FFD9A88743DCF16FC8F57DF9320A363
                                                                                                                                                                                                                                        SHA-256:E97923A042E30CC5E7B074948ED3F421BFC2C06E661399517BDCCF692D3D58B0
                                                                                                                                                                                                                                        SHA-512:8FEEAE299C507D160195D4D70CD16662830EBFBEADBB533F98AA7ED540FEE82D869A4ED96F746E30E3BC471B1D046EE212EA64AC8A33A433D7DB1A7079A6AE56
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<BitComet Author="RnySmile" Version="0.1">...<Favourite>...</Favourite>...<SearchToolbar>....<s title=".." link="https://jprj.com/" html="https://jprj.com/search?q=${QUERY}" />...</SearchToolbar>..</BitComet>

                                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\BitComet\fav\fav_zh_tw.xml

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):296
                                                                                                                                                                                                                                        Entropy (8bit):5.409903425816016
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:TMVBdY5HJFMVVgOnN04TNI4xKRQWYRJdiK53LKFhrG+9VfM9RqdxKR9v:TMHdu2/ceC4MR0/3whrG+32qmR9v
                                                                                                                                                                                                                                        MD5:E833111D6C329F1CD7E1023683DDD685
                                                                                                                                                                                                                                        SHA1:8D147C2F2DD3F29982167B168160BE71CAB1040C
                                                                                                                                                                                                                                        SHA-256:882C77B9B177ABA77FC37A488D14C9B77E72E118B22B0813E2B6DE3830F2E1A8
                                                                                                                                                                                                                                        SHA-512:CEEC6AD3034D06760DEC1E9ECB688A82D172901D0D29B03319775F93BAE58D3C964A48B9B5D15E78E12981CFA5B70D32940257825AC7B02AFE64F0FEABF47D22
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<BitComet Author="X-Ray" Version="0.1">...<Favourite>...</Favourite>...<SearchToolbar>....<s title=".." link="http://tw.yahoo.com/" html="http://tw.search.yahoo.com/search?fr=yfp&amp;ei=utf-8&amp;v=0&amp;p=${QUERY}" />...</SearchToolbar>..</BitComet>..

                                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\BitComet\fav\passport_info_en_us.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):33174
                                                                                                                                                                                                                                        Entropy (8bit):7.886948258995984
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:REMbqKGjL8bCgMpyonxzVhDNtaxVq2WvUEMbqKGjLFp:Rl/GjtbnThDNtaxVq2WvUl/GjJp
                                                                                                                                                                                                                                        MD5:B6ADF0D4F826A82B6902AC9E0EB71E9C
                                                                                                                                                                                                                                        SHA1:635388C1B0D1BF2674D4D1A1B35F817625734B99
                                                                                                                                                                                                                                        SHA-256:2ACB6E91B694F4F14157B024D3990404453DF52D4E205C99DA14BAEEBE50E429
                                                                                                                                                                                                                                        SHA-512:F4B58903E25D990464A76F9B4CEDC3FC61FC0C4577E2E7CE586CA7BAC15DA606C214EF944642F4F83648F47B8A9CA978A539DFCA70B35B3E73A54B346471266F
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK.........t.Jyh.....#.......bcsp_loading.gifSDm........S.!.cd`i.a``0`... fd.3YE.D}.=[s...k..}.[..........$+...Q..9..X-..}u....../.j$ j. j.....- ..g......UT...i.yY...[...[E.y8...?3.Y1.k7..R.-43.P.$....:.%..0.m*...[T..VN3.N.e*....IZLGQ.N...z..y_.?..........9*..e........,/ r..i.YX@>../.....Y.Bd..2.l..L...Y32{..~.uzzi.)"-F&.....t.2..09.<6.c...;...".;...Z...>.0.<.Y... ..<...-.7.;.....o_..0...".|d ........t-...?*.z..z..>........=.:D...A:...%..t....v.."" ]..:..;0........r8..\uC....H.o.K.H...Z..oD.P..:..*.9.i.B.QHC....9.....fw...9.F.QHm*r"v.6GV.....c...F...H.......Hy..:.9f..A./....H.-R.....Y.....FM..G...r...8.. |./.(.?U..=.O...C...|{.......^....#..H.... 90.MYN...GrPH.)..<.....65|9)x.w...d....pd..X....F..dj..L..T...x.Y*<.c.......d.^...q./........g..H,X....cd...i.y<...C.].w..v...]..3A.1....p.`,..Px,.5..4...C......;.w?.`G..Ll..C....z8Z.l4.g...d,.aO#a...9."..(......'.7.p..v........ +.c....<.0h......`....&.....y0m.....t0.....O...Q........Ym..

                                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\BitComet\fav\passport_info_zh_cn.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):35631
                                                                                                                                                                                                                                        Entropy (8bit):7.892420187794153
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:BEMbqKGjLFjbvZkHUfE0D+Db6/ph8U9A6pSmjgk9EMbqKGjLr:Bl/GjtTSUsnDbULA6p/pl/GjH
                                                                                                                                                                                                                                        MD5:84F24CB8AC63F1EC18B2C51919323F7B
                                                                                                                                                                                                                                        SHA1:072B317DA3526C130215F1A5F79CD1E0A2D719A9
                                                                                                                                                                                                                                        SHA-256:3D791EF418D0376204AB1C122A04FD968785B042DDEBD8CA84A06A6187572F7B
                                                                                                                                                                                                                                        SHA-512:C6771B7593B6B1C912D657CBDF3EB268ABB74D3590FB67AC2BE0A5A7F7A1FB2C4E55E23741653CFD02869AFD47A17AACB745BA8F66EB8D455C1692F50421EB2C
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK.........t.Jyh.....#.......bcsp_loading.gifSDm........S.!.cd`i.a``0`... fd.3YE.D}.=[s...k..}.[..........$+...Q..9..X-..}u....../.j$ j. j.....- ..g......UT...i.yY}..[}..[E.y8...?3.Y1.k7..R.-43.P.$....:.%..0.m*...[T..VN3.N.e*....IZLGQ.N...z..y_.?..........9*..e........,/ r..i.YX@>../.....Y.Bd..2.l..L...Y32{..~.uzzi.)"-F&.....t.2..09.<6.c...;...".;...Z...>.0.<.Y... ..<...-.7.;.....o_..0...".|d ........t-...?*.z..z..>........=.:D...A:...%..t....v.."" ]..:..;0........r8..\uC....H.o.K.H...Z..oD.P..:..*.9.i.B.QHC....9.....fw...9.F.QHm*r"v.6GV.....c...F...H.......Hy..:.9f..A./....H.-R.....Y.....FM..G...r...8.. |./.(.?U..=.O...C...|{.......^....#..H.... 90.MYN...GrPH.)..<.....65|9)x.w...d....pd..X....F..dj..L..T...x.Y*<.c.......d.^...q./........g..H,X....cd...i.y<...C.].w..v...]..3A.1....p.`,..Px,.5..4...C......;.w?.`G..Ll..C....z8Z.l4.g...d,.aO#a...9."..(......'.7.p..v........ +.c....<.0h......`....&.....y0m.....t0.....O...Q........Ym..

                                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\BitComet\fav\passport_info_zh_tw.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):35889
                                                                                                                                                                                                                                        Entropy (8bit):7.894452005921424
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:xEMbqKGjLYob7OHUfE0OojToj9xWmUEMbqKGjLy:xl/GjtqUs3GTojXAl/Gje
                                                                                                                                                                                                                                        MD5:C2425A4A19235FDC4F91B25269CB968A
                                                                                                                                                                                                                                        SHA1:5F0FE8A3646E12ECF55A16DBFC7DEC6A46FFB731
                                                                                                                                                                                                                                        SHA-256:3F3E42D7E5A34279A9577CA95F90B333135203D7FD59646014AC9499D6776805
                                                                                                                                                                                                                                        SHA-512:A9D26AEDE850A4CFF4DEBF2E94D4942E0A65CAFF69A681118A70AC592C89B4E54E6B25D96F795E02C2A17F21A15BDA7F75A0FF3A938E38D8A4527C5F9203E8C4
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK.........t.Jyh.....#.......bcsp_loading.gifSDm........S.!.cd`i.a``0`... fd.3YE.D}.=[s...k..}.[..........$+...Q..9..X-..}u....../.j$ j. j.....- ..g......UT...i.yY...[...[E.y8...?3.Y1.k7..R.-43.P.$....:.%..0.m*...[T..VN3.N.e*....IZLGQ.N...z..y_.?..........9*..e........,/ r..i.YX@>../.....Y.Bd..2.l..L...Y32{..~.uzzi.)"-F&.....t.2..09.<6.c...;...".;...Z...>.0.<.Y... ..<...-.7.;.....o_..0...".|d ........t-...?*.z..z..>........=.:D...A:...%..t....v.."" ]..:..;0........r8..\uC....H.o.K.H...Z..oD.P..:..*.9.i.B.QHC....9.....fw...9.F.QHm*r"v.6GV.....c...F...H.......Hy..:.9f..A./....H.-R.....Y.....FM..G...r...8.. |./.(.?U..=.O...C...|{.......^....#..H.... 90.MYN...GrPH.)..<.....65|9)x.w...d....pd..X....F..dj..L..T...x.Y*<.c.......d.^...q./........g..H,X....cd...i.y<...C.].w..v...]..3A.1....p.`,..Px,.5..4...C......;.w?.`G..Ll..C....z8Z.l4.g...d,.aO#a...9."..(......'.7.p..v........ +.c....<.0h......`....&.....y0m.....t0.....O...Q........Ym..

                                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\BitComet\fav\skin_fluent.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):454899
                                                                                                                                                                                                                                        Entropy (8bit):7.957987446000835
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:cJ5q0bbKTNOCOeow0ukq3RActFe+HaqYTHs9:c35KTkteyFie+H8g9
                                                                                                                                                                                                                                        MD5:C117A545DE89C679D841674614A3F9F2
                                                                                                                                                                                                                                        SHA1:C5C3E49F0B923AE91BD84E531045B1809434866D
                                                                                                                                                                                                                                        SHA-256:C0846BCC3FF7BBC84C09144B1DFAA2E22AE944F0F0FEBCB801B0125CE66158B4
                                                                                                                                                                                                                                        SHA-512:A07DBEB9593C56D1EF6CFC1FCAC85A28E2D552E4FCB50BC0E9AB96208CB98428387A87DDCC29459624272D7A1D242E5AF285AC15709DB127C31AA539E3C74429
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..........V..F.............app_icon.png}R.8.{._QB...2g..\6..M....$T.266l.l...N".PDQ..(.\*.BQ...I%.~.%.g..y..t......}.....}.....6..P...@R..8[..Yy..~Y....E.m....<..D&.dB....K..lK&..|..w.@"...l..~.;@.%.`t94.h%v..0...d6..I..A.**..*..z.E...X2.j..$..Z..z..I.=....P.Ff.!.......A.....+e......m.........d.Z......Av.u...8..A"{hC.p.>...>:z.....@B..Tx"....'...6.......u..u..'L..F.h .:B..+..&rt.,...82.Ie.........?.......t..V......0=]8._@....4.O4.mK...4.>.A..Y...,......,.Ld.L{....I....X...A uQ..G.t......V\a,.,6..N...A..]*........v..MPzzff.h,....3A`....]?.8..F...pI.pw......l2.z.L.3.....P....K..\...........WJ..ge.sv....'.#......# ...%..#H9r,...........0......4...w.}2..~..Q.}.{..J.\I5nNt..Y%9..i.V..&..ur&.{..f...Y.....]h.......9.8.P.<..-.4.Q......o$.}..!...S.as...a....;"..s......Y3...q...7GB.$.C7..`..'.+......k..=|..........K...}t.EF.H.....Tf~.WL...t..2a.#..t..x|...c....;G..:....oD7.z..qS....>.Kg...B.#.n......u*..xo.....j5.t.]..W...cel.U...<..o..

                                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\BitComet\rules\cometid.db

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files\BitComet\BitComet.exe
                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3007006, page size 1024, file counter 2, database pages 4, cookie 0x2, schema 1, UTF-8, version-valid-for 2
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):4096
                                                                                                                                                                                                                                        Entropy (8bit):0.9790173265894578
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:lpbNFlo0aK2auB5f8Q4g91435gQKhCmLFKhTSSgLu9EgpruWFxQWFtuWdzolJ2G:HLG0BruB5jGpgQKNwZfF2oBjzolh
                                                                                                                                                                                                                                        MD5:EC5AEF4B94DC9C888D8201A5A3E25D26
                                                                                                                                                                                                                                        SHA1:F73F776B9080F56C48BE35828402A5B665E745A8
                                                                                                                                                                                                                                        SHA-256:5B5BA61C1521D7AA7971832FA0820DAB8D989E78CC878D8553C3403371F3B085
                                                                                                                                                                                                                                        SHA-512:1EF9A12CEA589514AD96735C9B11327F2141DD8925EC2086EEBE96C54801D3ED46BA28C200B39E6870FEFB0988054EB37B91A0F97781437FA25349172A0C0183
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:SQLite format 3......@ .........................................................................-......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................l...+'...indexidx_date_useridscore_history.CREATE UNIQUE INDEX idx_date_userid on score_history (date,user_id).8...''../tablescore_historyscore_history.CREATE TABLE score_history (date char(10) not null,user_id int not null,score_min int not null,score_max int not null,primary key(date, user_id))9...M'..indexsqlite_autoindex_score_his

                                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\BitComet\rules\cometid.db-journal

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files\BitComet\BitComet.exe
                                                                                                                                                                                                                                        File Type:SQLite Rollback Journal
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1544
                                                                                                                                                                                                                                        Entropy (8bit):1.7664946856204764
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:7+/ly4rgpbNFlEuX10Z8IFKhTSSgLu9EgpruWFxQWFtuWdzolJ2GJ:7+tyU+LiuF0uIwZfF2oBjzolhJ
                                                                                                                                                                                                                                        MD5:93BA2FC1A512045E5F3FB109FE9940FC
                                                                                                                                                                                                                                        SHA1:5F3D219CA628D2A3CCA19B47239C63562803B0ED
                                                                                                                                                                                                                                        SHA-256:71B0B06CACEEA0B7649BF4F6050BEAF37FEFCBAE492413DE0EF7716D258E71B3
                                                                                                                                                                                                                                        SHA-512:C4409F41BEF8D72DB702D9CC5823704404721D9384E2A0ED4E8B8E08DBA9545EEBAD1C2B3AC985BA216CAF43CB48927194075F4EEFE09D3A4DC46CFAEEA46117
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.... .c.....i.;.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................SQLite format 3......@ .........................................................................-..................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\BitComet\rules\ssl_cert.dat

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files\BitComet\BitComet.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2831
                                                                                                                                                                                                                                        Entropy (8bit):7.935919419858076
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:aO6N+GOd0ybgIlO9UZDAtCWdDZ2OdzCymYX3YIFB1fyOLiC7+aDY96IY8X79/yqB:aO6NPOd0yMIqqDwCWBZ2w+EPffyRC7+n
                                                                                                                                                                                                                                        MD5:0BE9088EBEC67F4BB9FC033905D73765
                                                                                                                                                                                                                                        SHA1:F289B9007C7ACE507122550ACBCD11BDE43F57F1
                                                                                                                                                                                                                                        SHA-256:6DF48EC7381A989262C19263543C50D6DA8276CC18A5389D3281F21AFEBF0F47
                                                                                                                                                                                                                                        SHA-512:F92C9013ED764A62447AFBBD568DE85E25848FE50AA53DA1D4DC61934FEDD8BD90348E473D6CB27301E078DF0B5B33E5035F96F97B718787883F1D68691793CF
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:|J..6...qdy..pk.PQ.Q?D..7t>.h.bm).~..|c.9$..?%...2.~.M;n...g=.O2._....O.,-.[0.9!....,./.iZ..H.a.w.5M!...to.Y.......f..!..E.Q........#..Hb3.xD4m.....B..)s/..\..G.i.0.V8.U../..[.Z._.~.y....@.....JL..aV.C..H 3(l,...kL.d.AC>.*]'.1+5....+.t.C.+..[F_.n.x.(.#...h...y.C.].C...x|.[.%.~T.yS.#.w.+..C.z3...C)*../..^.o.\......8l..$/......1B...%.>..8.f.u5...... .Uo..1.$..v^...2ZVG..f.{d.}>....X.h....L.X"..D..'w...e.hx....d..IZ..l..RZ.#...TF..`#..h:...-....=A..O..Y=.:.......~~s.,..j..}=.#2W..6S..2<.....#..F..n..o!...s.>...Q?.2./..K..+~..!.A.."...H.P....h.....-J.oY.#.....b...F.\V.!.j!gu.......V.$.Ld.O....1.............:..k...rz.P..E....Ay..&]/....^.5.....'...).E&/r......+...?..&+/..z.R....Y.sS....uK...M..TAa.o/W@<..P@..6.J.M.....%..JT2..-.}./..q.43..~.E..p..j...B..V.[w..ib....t..Jf.lU.{x..1?.....C9/i.~.n......49...JU..^x.g=...._...>&w.i+...G../.a=C.k..3.....?...L...g-;.S2....N}.IW5..N&.3@..0...I..3.....zK.u+w...'.&z...OE.H~......<....n9+.n\....uA/.:h

                                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\BitComet\share\my_shares.db

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files\BitComet\BitComet.exe
                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3007006, page size 1024, file counter 5, database pages 4, cookie 0x5, schema 2, UTF-8, version-valid-for 5
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):4096
                                                                                                                                                                                                                                        Entropy (8bit):1.0264107533485518
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:lpbNFl4/ci156YlBd9143aNGnkrLuQxntUJqvDDFdvRrJKKmrkttAqw8+a7:HLW915JB7GqNjeYntUkLDTRrtCqTN
                                                                                                                                                                                                                                        MD5:E878CC0EE8F5B38069B158AB5F36F5D0
                                                                                                                                                                                                                                        SHA1:46CE6322707707C435829D91EE0C4674B547B2D4
                                                                                                                                                                                                                                        SHA-256:DBD0BDAE141F57BB6296435EFD9E1E68B98D25F77F7BF7225C853EB3DD77A602
                                                                                                                                                                                                                                        SHA-512:EA570401D8CB0DFADC5DF8941B4F8A34D53717E9A47BCBEC33131256DE558B3833362C7F3863B2A76DCD6B27C22BE0C26203AEF08E845DAF86783E42491DFD86
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:SQLite format 3......@ .........................................................................-.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................K......kindexidx_dateMyShares.CREATE UNIQUE INDEX idx_date on MyShares (hash).l.......+tableMySharesMyShares.CREATE TABLE MyShares (hash CHAR(40) primary key asc,title TEXT not null,size INT not null,category TEXT,createtime INT,task_finished INT,save_path TEXT, added_time INT, hash_v2 CHAR(64), torrent_format INT)/...C...indexsqlite_autoindex

                                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\BitComet\share\my_shares.db-journal

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files\BitComet\BitComet.exe
                                                                                                                                                                                                                                        File Type:SQLite Rollback Journal
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1544
                                                                                                                                                                                                                                        Entropy (8bit):2.0321552522405377
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:7+/lLVlGrgpbNFl6l+m4qXersnkrLuQxntUJqvDDFdvRrJKKmrkttAqw8+a7+:7+tLVU+LAwIXerNeYntUkLDTRrtCqTN+
                                                                                                                                                                                                                                        MD5:50E8B425665B84DE127A57EA8DCF9B46
                                                                                                                                                                                                                                        SHA1:6735ABACE6CC3BCFF74C31737E421FCA6D5F3DFA
                                                                                                                                                                                                                                        SHA-256:BDB158043A0A0F613140E8F0FAAC12524E3034AD7F20A5A4BE9246A1706CDB21
                                                                                                                                                                                                                                        SHA-512:139B39B86B577164D9739405022B0AF752021608DDCD19A75DBC9898EB7EF186F9DE0A2D383581A40948AB0AEB75C5A6407AD091E787DCC446E727AF092A7649
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.... .c.....Q.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................SQLite format 3......@ .........................................................................-..................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\BitComet\torrent_cache\dht_torrents.db

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files\BitComet\BitComet.exe
                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3007006, page size 1024, file counter 14, database pages 13, cookie 0x3, schema 2, UTF-8, version-valid-for 14
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):13312
                                                                                                                                                                                                                                        Entropy (8bit):4.663298574549038
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:08QOQL56GZJRD9DD8JRD9DDovcC06nTnr:S03u
                                                                                                                                                                                                                                        MD5:947C40DE2FF3AE59F4D89B8308AF122F
                                                                                                                                                                                                                                        SHA1:2A55A8AD55EDBFF087564D16A1FEEC39FA4CBBA5
                                                                                                                                                                                                                                        SHA-256:8E5D8138B3ACCA306352C716348B327CC33F4314C5203144F00415AB9B8AD2F2
                                                                                                                                                                                                                                        SHA-512:8B047BC8FA1CB96DAB745AB5FFBE5F58F68747B08A1394C4E2428DA8F1BF419E9DE35418DAE6D58D963EB638B48BD4D25B165A1CFB4B0500451ED132E98C74BF
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:SQLite format 3......@ .........................................................................-...........&.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................Q....#.qindexidx_dateDhtTorrents.CREATE UNIQUE INDEX idx_date on DhtTorrents (hash).....##...tableDhtTorrentsDhtTorrents.CREATE TABLE DhtTorrents (hash CHAR(40) primary key asc,title TEXT,size INT,category TEXT,createtime INT, added_time INT)5...I#..indexsqlite_autoindex_DhtTo

                                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\BitComet\torrent_cache\dht_torrents.db-journal

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files\BitComet\BitComet.exe
                                                                                                                                                                                                                                        File Type:SQLite Rollback Journal
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):4640
                                                                                                                                                                                                                                        Entropy (8bit):4.269903320090559
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:7MDG7IpciDJ6TfuWYgWfTHw7IpciDJ6TfuWYgWfTHqJKUQHFrHcuOXlLch3YsRUU:7qGUb9pgAwUb9pgA4Or8lXVcC0Upod
                                                                                                                                                                                                                                        MD5:56EDA6CA7A174D98021E9CF16604A402
                                                                                                                                                                                                                                        SHA1:7B8D318089C49835C841EC621069C67B4E1FC694
                                                                                                                                                                                                                                        SHA-256:120A412A507A209AFBD5A981F8B52926F28ED2BD50D16A2D6557F6AB0E4E75DD
                                                                                                                                                                                                                                        SHA-512:2024F65FD8233A35E924E7C8F916651A957940A211C95C539825389F57DDA6C71C77C521B6FFFC27598F7688B32EB2CCF2CFD9D810B96AADEB41ABF8CC74C9BF
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.... .c.......cy.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................0.].........>.k...........L.y.........O.|.............................,.].96fbdfa2cd2f50e670af1d855611091c2577010d*,.].9f6e2c69036148484d6f4e4b05759eb4c4869924),.].907b6b537a97433c0ea67579c8ac9540f6387038%,.].8bd91aff1c49016702ebd937217c189f863562af0,.].892b6ee664dfd6f484a38df8dcd07633d4d960f5/,.].5cc60e14cf74be9a8fadc7bb089f37088a09a4eb.,.].68a0021d4512202ccd0e012f7bc2d42d2305189a.,.].68a03129a186c03df952ddbcc303c8ac1a67e137.,.].68a069c0b44a630e38913bc381b6189f42f26302.

                                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1NFK4JOH4TU8O3ZMSI1J.temp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files\BitComet\BitComet.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):5120
                                                                                                                                                                                                                                        Entropy (8bit):3.1120606386156644
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:fd3gPFzjB1lbdd63A6yrnd3gPFzjB11dd63A6Mwd3gPFzjB1+dd63A6KHBW1:RkpB/kpckpOHy
                                                                                                                                                                                                                                        MD5:03861DB4EB4305E120E6FCE017222BED
                                                                                                                                                                                                                                        SHA1:13A2C4CCEF0EB3606404023FF76C5B4AF5076D42
                                                                                                                                                                                                                                        SHA-256:31FCEA58B117C7732E3E7FC6B3AFFD7A797CF0623B2EF5EC1A18717B8FF6E3AF
                                                                                                                                                                                                                                        SHA-512:CEE0126E747F348BBFE473BF2A3490D54D8F8CC24B1615276AC19B8C89EA4D093442EB68502BF4F46CA7E689402B67BFAC2284FDF766B22888A29DF167A4EAA0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...................................FL..................F.@.. ....O..On...>..@....O..On..........................{....P.O. .:i.....+00.../C:\.....................1......X.-..PROGRA~1..t......O.I.X.-....B...............J.....Bx..P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....Z.1......X.-..BitComet..B......X.,.X.-....J.........................B.i.t.C.o.m.e.t.....f.2.....dX.. .BitComet.exe..J......dX...X.,..............................B.i.t.C.o.m.e.t...e.x.e.......U...............-.......T....................C:\Program Files\BitComet\BitComet.exe..../.s.u.s.p.e.n.d.&.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.B.i.t.C.o.m.e.t.\.B.i.t.C.o.m.e.t...e.x.e.........%ProgramFiles%\BitComet\BitComet.exe................................................................................................................................................................................................................................%.P.r.o.g.r.a.m.F.i.l.e.s.%.\.B.i.t.C.o.m.e.t.\.B.i.t.C.o.

                                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\44404f5c61c7d7c5.customDestinations-ms (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files\BitComet\BitComet.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):5120
                                                                                                                                                                                                                                        Entropy (8bit):3.1120606386156644
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:fd3gPFzjB1lbdd63A6yrnd3gPFzjB11dd63A6Mwd3gPFzjB1+dd63A6KHBW1:RkpB/kpckpOHy
                                                                                                                                                                                                                                        MD5:03861DB4EB4305E120E6FCE017222BED
                                                                                                                                                                                                                                        SHA1:13A2C4CCEF0EB3606404023FF76C5B4AF5076D42
                                                                                                                                                                                                                                        SHA-256:31FCEA58B117C7732E3E7FC6B3AFFD7A797CF0623B2EF5EC1A18717B8FF6E3AF
                                                                                                                                                                                                                                        SHA-512:CEE0126E747F348BBFE473BF2A3490D54D8F8CC24B1615276AC19B8C89EA4D093442EB68502BF4F46CA7E689402B67BFAC2284FDF766B22888A29DF167A4EAA0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...................................FL..................F.@.. ....O..On...>..@....O..On..........................{....P.O. .:i.....+00.../C:\.....................1......X.-..PROGRA~1..t......O.I.X.-....B...............J.....Bx..P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....Z.1......X.-..BitComet..B......X.,.X.-....J.........................B.i.t.C.o.m.e.t.....f.2.....dX.. .BitComet.exe..J......dX...X.,..............................B.i.t.C.o.m.e.t...e.x.e.......U...............-.......T....................C:\Program Files\BitComet\BitComet.exe..../.s.u.s.p.e.n.d.&.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.B.i.t.C.o.m.e.t.\.B.i.t.C.o.m.e.t...e.x.e.........%ProgramFiles%\BitComet\BitComet.exe................................................................................................................................................................................................................................%.P.r.o.g.r.a.m.F.i.l.e.s.%.\.B.i.t.C.o.m.e.t.\.B.i.t.C.o.

                                                                                                                                                                                                                                        C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):55
                                                                                                                                                                                                                                        Entropy (8bit):4.306461250274409
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                                                                                                                                                        MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                                                                                                                                                        SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                                                                                                                                                        SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                                                                                                                                                        SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                                                                                                                                                                        C:\Windows\System32\drivers\rsCamFilter020502.sys

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):48944
                                                                                                                                                                                                                                        Entropy (8bit):6.755780295147749
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:68vbBtr3uL645Mx5wm9sKN6DRtoQpH3e6n9yEM1didV1VaXLkj3XV13hwOOPO9z4:Hp3uORwOO3/c1dGP0+xnOiz4
                                                                                                                                                                                                                                        MD5:633861D85B60EB7DE2E820F4FAC586E0
                                                                                                                                                                                                                                        SHA1:E5666AECD7B9D97627C4A0FC06D52AEA59D7C37D
                                                                                                                                                                                                                                        SHA-256:8EEBBE6A69D030FF7944524E22126218B6AE8CDB349C97FEEDB83CD0686BBB38
                                                                                                                                                                                                                                        SHA-512:8F26D38ABEF1CA2B365A2B1CC6B2A49C55319C59D790C32EC8D5728596FDDCF9252230C200ABAE4609884CBA3449B3EA778785244330F98C8C21CADF8C921AE1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........'F..tF..tF..tF..tG..t...uC..tF..t...t...uA..t...uN..t...u@..t..*tG..t...uG..tRichF..t................PE..d....<|d.........."....".L.....................@.....................................`....`A................................................t...<.......h....`..`....l..0S......$....D..8...........................`C..@............@..H............................text............0.................. ..h.rdata.......@.......4..............@..H.data...@....P.......B..............@....pdata..`....`.......D..............@..HPAGE....a....p.......H.............. ..`INIT.................V.............. ..b.rsrc...h............d..............@..B.reloc..$............j..............@..B........................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\System32\drivers\rsElam.sys

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):19944
                                                                                                                                                                                                                                        Entropy (8bit):6.115904530529
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:L22mPMNY+DHa3eLzeCvUkjWHhELVWQ4aWSWDqF9e+X01k9z3AzsJO4gdHfQhW:L4M1u3LCskJpWe99R9zusZwfQhW
                                                                                                                                                                                                                                        MD5:8129C96D6EBDAEBBE771EE034555BF8F
                                                                                                                                                                                                                                        SHA1:9B41FB541A273086D3EEF0BA4149F88022EFBAFF
                                                                                                                                                                                                                                        SHA-256:8BCC210669BC5931A3A69FC63ED288CB74013A92C84CA0ABA89E3F4E56E3AE51
                                                                                                                                                                                                                                        SHA-512:CCD92987DA4BDA7A0F6386308611AFB7951395158FC6D10A0596B0A0DB4A61DF202120460E2383D2D2F34CBB4D4E33E4F2E091A717D2FC1859ED7F58DB3B7A18
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5...q...q...q...e...r...e...t...q...y...e...p...e...r......p......p......p...Richq...........................PE..d...n.Ub.........."............................@....................................4S.....A.................................................P..<....`..x....@.......(...%...p..$....$..T............................%............... ..P............................text............................... ..h.rdata....... ......................@..H.data........0......................@....pdata.......@......................@..HINIT....^....P...................... ..b.rsrc...x....`......................@..B.reloc..$....p.......&..............@..B........................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\System32\drivers\rsKerneluser.sys

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):49456
                                                                                                                                                                                                                                        Entropy (8bit):6.631066056716293
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768://Vqt92EbtYnekejiYF5blvhBVu8suwIppriCAVUValkjvJt3Hy5Z:EmeLT0CpprAqs6tXqZ
                                                                                                                                                                                                                                        MD5:F77B9B6CCCA206535EB9672266A462B1
                                                                                                                                                                                                                                        SHA1:479345A89FB7362CAE53A3040F4EFCEE55B92BF7
                                                                                                                                                                                                                                        SHA-256:BC4EBE3656BE0F502B65A2CA247FFA1B3065EC6FE2E76D3AF21511A0616F855C
                                                                                                                                                                                                                                        SHA-512:9C80E9C83A58C9E2C63F22C17E4FD4DF227F04960AA2212C66A1308512FE02E71CB7300455965109A7E3931ABD38EBD15162FE3CB46C3328F28D1AE175B4EFE3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2.P.Sg..Sg..Sg..Sf..Sg..5f..Sg..5c..Sg..5d..Sg.C:c..Sg.C:...Sg..S...Sg.C:e..Sg.Rich.Sg.................PE..d...".\`.........."......H...&................@....................................A......A................................................4...<....... ....P.......r..0O......D....5..8........................... 6...............0...............................text...D........................... ..h.rdata.......0......."..............@..H.data...$....@.......2..............@....pdata.......P.......4..............@..HPAGE....N....`.......8.............. ..`INIT....6............R.............. ..b.rsrc... ............b..............@..B.reloc..D............p..............@..B........................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                        File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1835008
                                                                                                                                                                                                                                        Entropy (8bit):4.46590553907061
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:ozZfpi6ceLPx9skLmb0fBZWSP3aJG8nAgeiJRMMhA2zX4WABluuNLjDH5S:+ZHtBZWOKnMM6bFpZj4
                                                                                                                                                                                                                                        MD5:EA539BEE62AF7270F9673C794578FDB8
                                                                                                                                                                                                                                        SHA1:7E33D584731E09F506E163822E87DB93DA58BDDD
                                                                                                                                                                                                                                        SHA-256:7091F3670A89E4D52EA8F45C3CAE34A09E9139DF0712F20F2BFCB0350EAC1DC1
                                                                                                                                                                                                                                        SHA-512:638043E4D1A824BC44AB3B16A39411D0928C260A60877BF3E15DAA1010DEE440DD702EEB128F86F315EE8397E53E48A18A7D3373D50A8515D6C332FFBA77DFDF
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..l.@.................................................................................................................................................................................................................................................................................................................................................z.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        Static File Info

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Entropy (8bit):7.69864039323974
                                                                                                                                                                                                                                        TrID:
                                                                                                                                                                                                                                        • Win32 Executable (generic) a (10002005/4) 98.45%
                                                                                                                                                                                                                                        • Inno Setup installer (109748/4) 1.08%
                                                                                                                                                                                                                                        • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                                                                                                                                                                                                                                        • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                                                                                                                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                                                        File name:SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exe
                                                                                                                                                                                                                                        File size:2'596'280 bytes
                                                                                                                                                                                                                                        MD5:a2af719ea5acf34dbba496a4a2d14b87
                                                                                                                                                                                                                                        SHA1:c034b644776331c512e7b5953993ba9b86ce1728
                                                                                                                                                                                                                                        SHA256:574f282bee0927e2582139d6c6ef565c10e49d5187dc87625aecfeb66d61105f
                                                                                                                                                                                                                                        SHA512:0cfd122fb8676233aa39fb25771e7965d9c3d3d970fc09f8f4113e2938333ba6fb39c1f775fe72063360c7117eed5bb01de91739c7cf9c3628f6c20654edce46
                                                                                                                                                                                                                                        SSDEEP:49152:YBuZrEUzTuyh3kw8bgyjvpnLw7vLnrf/bF4AoK5Y7fnrgVTUvGqeABN4D:GkLzR338ZvpnLo/S57fnrQTU+q1DG
                                                                                                                                                                                                                                        TLSH:30C5E03BB268653ED56E0B3245738220997B7F61A82A8C1F47F03C0CEF765611E3BA55
                                                                                                                                                                                                                                        File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                                                                                                                                                                                        File Icon

                                                                                                                                                                                                                                        Icon Hash:3371f0d4d4d47117

                                                                                                                                                                                                                                        Static PE Info

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Entrypoint:0x4b5eec
                                                                                                                                                                                                                                        Entrypoint Section:.itext
                                                                                                                                                                                                                                        Digitally signed:true
                                                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                                                        Subsystem:windows gui
                                                                                                                                                                                                                                        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                                                                                                                                                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                                        Time Stamp:0x6258476F [Thu Apr 14 16:10:23 2022 UTC]
                                                                                                                                                                                                                                        TLS Callbacks:
                                                                                                                                                                                                                                        CLR (.Net) Version:
                                                                                                                                                                                                                                        OS Version Major:6
                                                                                                                                                                                                                                        OS Version Minor:1
                                                                                                                                                                                                                                        File Version Major:6
                                                                                                                                                                                                                                        File Version Minor:1
                                                                                                                                                                                                                                        Subsystem Version Major:6
                                                                                                                                                                                                                                        Subsystem Version Minor:1
                                                                                                                                                                                                                                        Import Hash:e569e6f445d32ba23766ad67d1e3787f

                                                                                                                                                                                                                                        Authenticode Signature

                                                                                                                                                                                                                                        Signature Valid:true
                                                                                                                                                                                                                                        Signature Issuer:CN=Certum Code Signing 2021 CA, O=Asseco Data Systems S.A., C=PL
                                                                                                                                                                                                                                        Signature Validation Error:The operation completed successfully
                                                                                                                                                                                                                                        Error Number:0
                                                                                                                                                                                                                                        Not Before, Not After
                                                                                                                                                                                                                                        • 24/11/2023 18:20:30 23/11/2026 18:20:29
                                                                                                                                                                                                                                        Subject Chain
                                                                                                                                                                                                                                        • E=wxhere@hotmail.com, CN=Xing Wang, O=Xing Wang, L=Shanghai, C=CN
                                                                                                                                                                                                                                        Version:3
                                                                                                                                                                                                                                        Thumbprint MD5:7A742F7A11DA60D6B28ED77287CB1B98
                                                                                                                                                                                                                                        Thumbprint SHA-1:D1CDF37E4A61C7F13F8DF0BFA4A4A26BAB7AE33B
                                                                                                                                                                                                                                        Thumbprint SHA-256:FD3D28462CA469508569FB0D4DE9C956D168989F192D0558BF9A5FB288DAA54C
                                                                                                                                                                                                                                        Serial:48B06EDB116D54BE21D51656D91CF246

                                                                                                                                                                                                                                        Entrypoint Preview

                                                                                                                                                                                                                                        Instruction
                                                                                                                                                                                                                                        push ebp
                                                                                                                                                                                                                                        mov ebp, esp
                                                                                                                                                                                                                                        add esp, FFFFFFA4h
                                                                                                                                                                                                                                        push ebx
                                                                                                                                                                                                                                        push esi
                                                                                                                                                                                                                                        push edi
                                                                                                                                                                                                                                        xor eax, eax
                                                                                                                                                                                                                                        mov dword ptr [ebp-3Ch], eax
                                                                                                                                                                                                                                        mov dword ptr [ebp-40h], eax
                                                                                                                                                                                                                                        mov dword ptr [ebp-5Ch], eax
                                                                                                                                                                                                                                        mov dword ptr [ebp-30h], eax
                                                                                                                                                                                                                                        mov dword ptr [ebp-38h], eax
                                                                                                                                                                                                                                        mov dword ptr [ebp-34h], eax
                                                                                                                                                                                                                                        mov dword ptr [ebp-2Ch], eax
                                                                                                                                                                                                                                        mov dword ptr [ebp-28h], eax
                                                                                                                                                                                                                                        mov dword ptr [ebp-14h], eax
                                                                                                                                                                                                                                        mov eax, 004B14B8h
                                                                                                                                                                                                                                        call 00007FF490F422E5h
                                                                                                                                                                                                                                        xor eax, eax
                                                                                                                                                                                                                                        push ebp
                                                                                                                                                                                                                                        push 004B65E2h
                                                                                                                                                                                                                                        push dword ptr fs:[eax]
                                                                                                                                                                                                                                        mov dword ptr fs:[eax], esp
                                                                                                                                                                                                                                        xor edx, edx
                                                                                                                                                                                                                                        push ebp
                                                                                                                                                                                                                                        push 004B659Eh
                                                                                                                                                                                                                                        push dword ptr fs:[edx]
                                                                                                                                                                                                                                        mov dword ptr fs:[edx], esp
                                                                                                                                                                                                                                        mov eax, dword ptr [004BE634h]
                                                                                                                                                                                                                                        call 00007FF490FE4DD7h
                                                                                                                                                                                                                                        call 00007FF490FE492Ah
                                                                                                                                                                                                                                        lea edx, dword ptr [ebp-14h]
                                                                                                                                                                                                                                        xor eax, eax
                                                                                                                                                                                                                                        call 00007FF490F57D84h
                                                                                                                                                                                                                                        mov edx, dword ptr [ebp-14h]
                                                                                                                                                                                                                                        mov eax, 004C1D84h
                                                                                                                                                                                                                                        call 00007FF490F3CED7h
                                                                                                                                                                                                                                        push 00000002h
                                                                                                                                                                                                                                        push 00000000h
                                                                                                                                                                                                                                        push 00000001h
                                                                                                                                                                                                                                        mov ecx, dword ptr [004C1D84h]
                                                                                                                                                                                                                                        mov dl, 01h
                                                                                                                                                                                                                                        mov eax, dword ptr [004238ECh]
                                                                                                                                                                                                                                        call 00007FF490F58F07h
                                                                                                                                                                                                                                        mov dword ptr [004C1D88h], eax
                                                                                                                                                                                                                                        xor edx, edx
                                                                                                                                                                                                                                        push ebp
                                                                                                                                                                                                                                        push 004B654Ah
                                                                                                                                                                                                                                        push dword ptr fs:[edx]
                                                                                                                                                                                                                                        mov dword ptr fs:[edx], esp
                                                                                                                                                                                                                                        call 00007FF490FE4E5Fh
                                                                                                                                                                                                                                        mov dword ptr [004C1D90h], eax
                                                                                                                                                                                                                                        mov eax, dword ptr [004C1D90h]
                                                                                                                                                                                                                                        cmp dword ptr [eax+0Ch], 01h
                                                                                                                                                                                                                                        jne 00007FF490FEB07Ah
                                                                                                                                                                                                                                        mov eax, dword ptr [004C1D90h]
                                                                                                                                                                                                                                        mov edx, 00000028h
                                                                                                                                                                                                                                        call 00007FF490F597FCh
                                                                                                                                                                                                                                        mov edx, dword ptr [004C1D90h]

                                                                                                                                                                                                                                        Data Directories

                                                                                                                                                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0xc40000x9a.edata
                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xc20000xfdc.idata
                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x1b2b4.rsrc
                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x2776280x2790
                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0xc60000x18.rdata
                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0xc22f40x254.idata
                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xc30000x1a4.didata
                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                                        Sections

                                                                                                                                                                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                                        .text0x10000xb39e40xb3a0043af0a9476ca224d8e8461f1e22c94daFalse0.34525867693110646data6.357635049994181IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                        .itext0xb50000x16880x1800185e04b9a1f554e31f7f848515dc890cFalse0.54443359375data5.971425428435973IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                        .data0xb70000x37a40x3800cab2107c933b696aa5cf0cc6c3fd3980False0.36097935267857145data5.048648594372454IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                        .bss0xbb0000x6de80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                        .idata0xc20000xfdc0x1000e7d1635e2624b124cfdce6c360ac21cdFalse0.3798828125data5.029087481102678IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                        .didata0xc30000x1a40x2008ced971d8a7705c98b173e255d8c9aa7False0.345703125data2.7509822285969876IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                        .edata0xc40000x9a0x2008d4e1e508031afe235bf121c80fd7d5fFalse0.2578125data1.877162954504408IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                        .tls0xc50000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                        .rdata0xc60000x5d0x2008f2f090acd9622c88a6a852e72f94e96False0.189453125data1.3838943752217987IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                        .rsrc0xc70000x1b2b40x1b400bbeb1a33836d6367aaf68bc8dace5147False0.5469825114678899data5.506016941839601IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                                        Resources

                                                                                                                                                                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                                        RT_ICON0xc75280x3173PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9552097322063354
                                                                                                                                                                                                                                        RT_ICON0xca69c0x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishUnited States0.486498876138649
                                                                                                                                                                                                                                        RT_ICON0xdaec40x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216EnglishUnited States0.6074688796680497
                                                                                                                                                                                                                                        RT_ICON0xdd46c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096EnglishUnited States0.6775328330206379
                                                                                                                                                                                                                                        RT_ICON0xde5140x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304EnglishUnited States0.7344262295081967
                                                                                                                                                                                                                                        RT_ICON0xdee9c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024EnglishUnited States0.8182624113475178
                                                                                                                                                                                                                                        RT_STRING0xdf3040x360data0.34375
                                                                                                                                                                                                                                        RT_STRING0xdf6640x260data0.3256578947368421
                                                                                                                                                                                                                                        RT_STRING0xdf8c40x45cdata0.4068100358422939
                                                                                                                                                                                                                                        RT_STRING0xdfd200x40cdata0.3754826254826255
                                                                                                                                                                                                                                        RT_STRING0xe012c0x2d4data0.39226519337016574
                                                                                                                                                                                                                                        RT_STRING0xe04000xb8data0.6467391304347826
                                                                                                                                                                                                                                        RT_STRING0xe04b80x9cdata0.6410256410256411
                                                                                                                                                                                                                                        RT_STRING0xe05540x374data0.4230769230769231
                                                                                                                                                                                                                                        RT_STRING0xe08c80x398data0.3358695652173913
                                                                                                                                                                                                                                        RT_STRING0xe0c600x368data0.3795871559633027
                                                                                                                                                                                                                                        RT_STRING0xe0fc80x2a4data0.4275147928994083
                                                                                                                                                                                                                                        RT_RCDATA0xe126c0x10data1.5
                                                                                                                                                                                                                                        RT_RCDATA0xe127c0x2c4data0.6384180790960452
                                                                                                                                                                                                                                        RT_RCDATA0xe15400x2cdata1.2045454545454546
                                                                                                                                                                                                                                        RT_GROUP_ICON0xe156c0x5adataEnglishUnited States0.7888888888888889
                                                                                                                                                                                                                                        RT_VERSION0xe15c80x584dataEnglishUnited States0.26203966005665724
                                                                                                                                                                                                                                        RT_MANIFEST0xe1b4c0x765XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.39091389329107235

                                                                                                                                                                                                                                        Imports

                                                                                                                                                                                                                                        DLLImport
                                                                                                                                                                                                                                        kernel32.dllGetACP, GetExitCodeProcess, LocalFree, CloseHandle, SizeofResource, VirtualProtect, VirtualFree, GetFullPathNameW, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVersion, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetSystemInfo, GetCommandLineW, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                                                                                                                                                                                                                                        comctl32.dllInitCommonControls
                                                                                                                                                                                                                                        version.dllGetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
                                                                                                                                                                                                                                        user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                                                                                                                                                                                                                                        oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                                                                                                                                                                                                                                        netapi32.dllNetWkstaGetInfo, NetApiBufferFree
                                                                                                                                                                                                                                        advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, RegQueryValueExW, AdjustTokenPrivileges, GetTokenInformation, ConvertSidToStringSidW, LookupPrivilegeValueW, RegCloseKey, OpenProcessToken, RegOpenKeyExW

                                                                                                                                                                                                                                        Exports

                                                                                                                                                                                                                                        NameOrdinalAddress
                                                                                                                                                                                                                                        TMethodImplementationIntercept30x4541a8
                                                                                                                                                                                                                                        __dbk_fcall_wrapper20x40d0a0
                                                                                                                                                                                                                                        dbkFCallWrapperAddr10x4be63c

                                                                                                                                                                                                                                        Possible Origin

                                                                                                                                                                                                                                        Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                                                        EnglishUnited States

                                                                                                                                                                                                                                        Network Behavior

                                                                                                                                                                                                                                        Skipped network analysis since the amount of network traffic is too extensive. Please download the PCAP and check manually.

                                                                                                                                                                                                                                        Statistics

                                                                                                                                                                                                                                        CPU Usage

                                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                                        Memory Usage

                                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                                        High Level Behavior Distribution

                                                                                                                                                                                                                                        Click to dive into process behavior distribution

                                                                                                                                                                                                                                        Behavior

                                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                                        System Behavior

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:0
                                                                                                                                                                                                                                        Start time:07:39:26
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exe"
                                                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                                                        File size:2'596'280 bytes
                                                                                                                                                                                                                                        MD5 hash:A2AF719EA5ACF34DBBA496A4A2D14B87
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:Borland Delphi
                                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:2
                                                                                                                                                                                                                                        Start time:07:39:27
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\is-9NCB6.tmp\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.tmp" /SL5="$2041C,1631103,874496,C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exe"
                                                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                                                        File size:3'207'680 bytes
                                                                                                                                                                                                                                        MD5 hash:3B531BFA13D2F16B94E463747A9B0022
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:Borland Delphi
                                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:6
                                                                                                                                                                                                                                        Start time:07:39:51
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe" /S
                                                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                                                        File size:26'879'352 bytes
                                                                                                                                                                                                                                        MD5 hash:6257440E341224790F7E2D8286B149CE
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PrivateLoader, Description: Yara detected PrivateLoader, Source: 00000006.00000002.2559900252.0000000002996000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:8
                                                                                                                                                                                                                                        Start time:07:39:58
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Program Files\BitComet\tools\BitCometService.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:"C:\Program Files\BitComet\tools\BitCometService.exe" /reg
                                                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                                                        File size:2'682'920 bytes
                                                                                                                                                                                                                                        MD5 hash:AE7FBFF183FF30913EBEB38913E8CFAD
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PrivateLoader, Description: Yara detected PrivateLoader, Source: 00000008.00000002.2510825818.0000000000401000.00000020.00000001.01000000.00000011.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PrivateLoader, Description: Yara detected PrivateLoader, Source: 00000008.00000000.2507776107.0000000000401000.00000020.00000001.01000000.00000011.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PrivateLoader, Description: Yara detected PrivateLoader, Source: C:\Program Files\BitComet\tools\BitCometService.exe, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                                                                                        • Detection: 0%, ReversingLabs
                                                                                                                                                                                                                                        • Detection: 7%, Virustotal, Browse
                                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:9
                                                                                                                                                                                                                                        Start time:07:40:00
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exe" https://www.bitcomet.com/client/install-stats/?l=en_us&file=BitComet_2.07_setup.exe&p=x64
                                                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                                                        File size:83'256 bytes
                                                                                                                                                                                                                                        MD5 hash:EDB96675541D0275C42096B64D794D3B
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:11
                                                                                                                                                                                                                                        Start time:07:40:01
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                                                                                                                                                        Imagebase:0x7ff7403e0000
                                                                                                                                                                                                                                        File size:55'320 bytes
                                                                                                                                                                                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:12
                                                                                                                                                                                                                                        Start time:07:40:04
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod0.exe" -ip:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240423073935&is_silent=true&oc=ZB_RAV_Cross_Tri_NCB&p=1abd&a=100&b=&se=true" -vp:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240423073935&oc=ZB_RAV_Cross_Tri_NCB&p=1abd&a=100&oip=26&ptl=7&dta=true" -dp:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240423073935&oc=ZB_RAV_Cross_Tri_NCB&p=1abd&a=100" -i -v -d -se=true
                                                                                                                                                                                                                                        Imagebase:0x2a71ba40000
                                                                                                                                                                                                                                        File size:45'608 bytes
                                                                                                                                                                                                                                        MD5 hash:732EBDF213C6DB82F652B52D7C36CCD6
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:13
                                                                                                                                                                                                                                        Start time:07:40:06
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exe" /affid 91088 PaidDistribution=true CountryCode=US
                                                                                                                                                                                                                                        Imagebase:0xf20000
                                                                                                                                                                                                                                        File size:1'184'128 bytes
                                                                                                                                                                                                                                        MD5 hash:143255618462A577DE27286A272584E1
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:14
                                                                                                                                                                                                                                        Start time:07:40:09
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\mrybn0ui.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\mrybn0ui.exe" /silent
                                                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                                                        File size:1'968'176 bytes
                                                                                                                                                                                                                                        MD5 hash:7533BE3F2041A3C1676863FDB7822C66
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000E.00000003.2627712939.0000000002736000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000E.00000003.2628396239.0000000002736000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000E.00000003.2626020716.0000000002731000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000E.00000003.2626687861.0000000002733000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000E.00000003.2629767360.0000000002730000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:15
                                                                                                                                                                                                                                        Start time:07:40:11
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Program Files\BitComet\BitComet.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files\BitComet\BitComet.exe" --no_elevated
                                                                                                                                                                                                                                        Imagebase:0x7ff639cf0000
                                                                                                                                                                                                                                        File size:27'769'744 bytes
                                                                                                                                                                                                                                        MD5 hash:1E74EE00A40D42C984DA333B5E3CEACE
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                                                                                        • Detection: 3%, ReversingLabs
                                                                                                                                                                                                                                        • Detection: 1%, Virustotal, Browse
                                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:16
                                                                                                                                                                                                                                        Start time:07:40:12
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Program Files\BitComet\BitComet.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files\BitComet\BitComet.exe"
                                                                                                                                                                                                                                        Imagebase:0x7ff639cf0000
                                                                                                                                                                                                                                        File size:27'769'744 bytes
                                                                                                                                                                                                                                        MD5 hash:1E74EE00A40D42C984DA333B5E3CEACE
                                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:17
                                                                                                                                                                                                                                        Start time:07:40:12
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Program Files\BitComet\tools\BitCometService.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:"C:\Program Files\BitComet\tools\BitCometService.exe" -service
                                                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                                                        File size:2'682'920 bytes
                                                                                                                                                                                                                                        MD5 hash:AE7FBFF183FF30913EBEB38913E8CFAD
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PrivateLoader, Description: Yara detected PrivateLoader, Source: 00000011.00000000.2656115134.0000000000401000.00000020.00000001.01000000.00000011.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:18
                                                                                                                                                                                                                                        Start time:07:40:12
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\nsb7B19.tmp\RAVEndPointProtection-installer.exe" "C:\Users\user\AppData\Local\Temp\mrybn0ui.exe" /silent
                                                                                                                                                                                                                                        Imagebase:0x20956b30000
                                                                                                                                                                                                                                        File size:552'592 bytes
                                                                                                                                                                                                                                        MD5 hash:41A3C2A1777527A41DDD747072EE3EFD
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000012.00000002.3603778711.0000020958852000.00000002.00000001.01000000.00000039.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000012.00000002.3604286679.0000020958C8A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000012.00000002.3603171860.0000020958762000.00000002.00000001.01000000.00000038.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000012.00000002.3604286679.0000020958DFC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:moderate
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:19
                                                                                                                                                                                                                                        Start time:07:40:14
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                                                                                                                                                                                        Imagebase:0x7ff7403e0000
                                                                                                                                                                                                                                        File size:55'320 bytes
                                                                                                                                                                                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:20
                                                                                                                                                                                                                                        Start time:07:40:14
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4824 -ip 4824
                                                                                                                                                                                                                                        Imagebase:0x6f0000
                                                                                                                                                                                                                                        File size:483'680 bytes
                                                                                                                                                                                                                                        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:21
                                                                                                                                                                                                                                        Start time:07:40:14
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -i -bn:ReasonLabs -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -dt:10
                                                                                                                                                                                                                                        Imagebase:0x7ff7e36f0000
                                                                                                                                                                                                                                        File size:817'096 bytes
                                                                                                                                                                                                                                        MD5 hash:DED746A9D2D7B7AFCB3ABE1A24DD3163
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:22
                                                                                                                                                                                                                                        Start time:07:40:14
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff66e660000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:23
                                                                                                                                                                                                                                        Start time:07:40:14
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 964
                                                                                                                                                                                                                                        Imagebase:0x6f0000
                                                                                                                                                                                                                                        File size:483'680 bytes
                                                                                                                                                                                                                                        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:24
                                                                                                                                                                                                                                        Start time:07:40:14
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -bn:ReasonLabs -dt:10
                                                                                                                                                                                                                                        Imagebase:0x7ff7e36f0000
                                                                                                                                                                                                                                        File size:817'096 bytes
                                                                                                                                                                                                                                        MD5 hash:DED746A9D2D7B7AFCB3ABE1A24DD3163
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:25
                                                                                                                                                                                                                                        Start time:07:40:15
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Program Files\BitComet\tools\UPNP.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:"C:\Program Files\BitComet\tools\UPNP.exe" -addfw -app BitComet -tcpport 7319 -udpport 7319 -q
                                                                                                                                                                                                                                        Imagebase:0x490000
                                                                                                                                                                                                                                        File size:820'528 bytes
                                                                                                                                                                                                                                        MD5 hash:FEBBAF0C03103A63E0141A96535B7745
                                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                                                                                        • Detection: 0%, ReversingLabs
                                                                                                                                                                                                                                        • Detection: 11%, Virustotal, Browse
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:26
                                                                                                                                                                                                                                        Start time:07:40:16
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Program Files\ReasonLabs\EPP\Uninstall.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:"C:\Program Files\ReasonLabs\EPP\Uninstall.exe" /auto-repair=RavStub
                                                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                                                        File size:1'968'176 bytes
                                                                                                                                                                                                                                        MD5 hash:7533BE3F2041A3C1676863FDB7822C66
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:27
                                                                                                                                                                                                                                        Start time:07:40:18
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\nsz9BFF.tmp\Uninstall.exe" /auto-repair=RavStub
                                                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                                                        File size:1'968'176 bytes
                                                                                                                                                                                                                                        MD5 hash:7533BE3F2041A3C1676863FDB7822C66
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000001B.00000003.2758473527.0000000002736000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000001B.00000003.2740342968.000000000273B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000001B.00000003.2732590021.0000000002739000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000001B.00000003.2744857901.0000000002738000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000001B.00000003.2735452283.0000000002736000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:29
                                                                                                                                                                                                                                        Start time:07:40:19
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=BitComet.exe --webview-exe-version=2.07 --user-data-dir="C:\Users\user\AppData\Local\BitComet\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=1 --enable-features=MojoIpcz --mojo-named-platform-channel-pipe=3708.7216.9049188055043856713
                                                                                                                                                                                                                                        Imagebase:0x7ff71f840000
                                                                                                                                                                                                                                        File size:3'749'328 bytes
                                                                                                                                                                                                                                        MD5 hash:9909D978B39FB7369F511D8506C17CA0
                                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:30
                                                                                                                                                                                                                                        Start time:07:40:19
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\user\AppData\Local\BitComet\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\user\AppData\Local\BitComet\EBWebView\Crashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=117.0.5938.132 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=117.0.2045.47 --initial-client-data=0x16c,0x170,0x174,0x168,0x140,0x7ffd8ab18e88,0x7ffd8ab18e98,0x7ffd8ab18ea8
                                                                                                                                                                                                                                        Imagebase:0x7ff71f840000
                                                                                                                                                                                                                                        File size:3'749'328 bytes
                                                                                                                                                                                                                                        MD5 hash:9909D978B39FB7369F511D8506C17CA0
                                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:31
                                                                                                                                                                                                                                        Start time:07:40:21
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --type=gpu-process --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\BitComet\EBWebView" --webview-exe-name=BitComet.exe --webview-exe-version=2.07 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1792 --field-trial-handle=1796,i,2359236077227598348,11370881663069320587,262144 --enable-features=MojoIpcz /prefetch:2
                                                                                                                                                                                                                                        Imagebase:0x7ff71f840000
                                                                                                                                                                                                                                        File size:3'749'328 bytes
                                                                                                                                                                                                                                        MD5 hash:9909D978B39FB7369F511D8506C17CA0
                                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:32
                                                                                                                                                                                                                                        Start time:07:40:21
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\BitComet\EBWebView" --webview-exe-name=BitComet.exe --webview-exe-version=2.07 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=2248 --field-trial-handle=1796,i,2359236077227598348,11370881663069320587,262144 --enable-features=MojoIpcz /prefetch:3
                                                                                                                                                                                                                                        Imagebase:0x7ff71f840000
                                                                                                                                                                                                                                        File size:3'749'328 bytes
                                                                                                                                                                                                                                        MD5 hash:9909D978B39FB7369F511D8506C17CA0
                                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:33
                                                                                                                                                                                                                                        Start time:07:40:22
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-GB --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\BitComet\EBWebView" --webview-exe-name=BitComet.exe --webview-exe-version=2.07 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=2980 --field-trial-handle=1796,i,2359236077227598348,11370881663069320587,262144 --enable-features=MojoIpcz /prefetch:8
                                                                                                                                                                                                                                        Imagebase:0x7ff71f840000
                                                                                                                                                                                                                                        File size:3'749'328 bytes
                                                                                                                                                                                                                                        MD5 hash:9909D978B39FB7369F511D8506C17CA0
                                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:34
                                                                                                                                                                                                                                        Start time:07:40:22
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\BitComet\EBWebView" --webview-exe-name=BitComet.exe --webview-exe-version=2.07 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --disable-nacl --first-renderer-process --lang=en-GB --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=en_CH" --time-ticks-at-unix-epoch=-1713846190060310 --launch-time-ticks=4632151505 --mojo-platform-channel-handle=3392 --field-trial-handle=1796,i,2359236077227598348,11370881663069320587,262144 --enable-features=MojoIpcz /prefetch:1
                                                                                                                                                                                                                                        Imagebase:0x7ff71f840000
                                                                                                                                                                                                                                        File size:3'749'328 bytes
                                                                                                                                                                                                                                        MD5 hash:9909D978B39FB7369F511D8506C17CA0
                                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:35
                                                                                                                                                                                                                                        Start time:07:40:22
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\BitComet\EBWebView" --webview-exe-name=BitComet.exe --webview-exe-version=2.07 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --disable-nacl --lang=en-GB --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=en_CH" --time-ticks-at-unix-epoch=-1713846190060310 --launch-time-ticks=4632449862 --mojo-platform-channel-handle=3708 --field-trial-handle=1796,i,2359236077227598348,11370881663069320587,262144 --enable-features=MojoIpcz /prefetch:1
                                                                                                                                                                                                                                        Imagebase:0x7ff71f840000
                                                                                                                                                                                                                                        File size:3'749'328 bytes
                                                                                                                                                                                                                                        MD5 hash:9909D978B39FB7369F511D8506C17CA0
                                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:36
                                                                                                                                                                                                                                        Start time:07:40:22
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\BitComet\EBWebView" --webview-exe-name=BitComet.exe --webview-exe-version=2.07 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --disable-nacl --lang=en-GB --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=en_CH" --time-ticks-at-unix-epoch=-1713846190060310 --launch-time-ticks=4632595052 --mojo-platform-channel-handle=3696 --field-trial-handle=1796,i,2359236077227598348,11370881663069320587,262144 --enable-features=MojoIpcz /prefetch:1
                                                                                                                                                                                                                                        Imagebase:0x7ff71f840000
                                                                                                                                                                                                                                        File size:3'749'328 bytes
                                                                                                                                                                                                                                        MD5 hash:9909D978B39FB7369F511D8506C17CA0
                                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:37
                                                                                                                                                                                                                                        Start time:07:40:22
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\BitComet\EBWebView" --webview-exe-name=BitComet.exe --webview-exe-version=2.07 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --disable-nacl --lang=en-GB --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=en_CH" --time-ticks-at-unix-epoch=-1713846190060310 --launch-time-ticks=4632840062 --mojo-platform-channel-handle=3932 --field-trial-handle=1796,i,2359236077227598348,11370881663069320587,262144 --enable-features=MojoIpcz /prefetch:1
                                                                                                                                                                                                                                        Imagebase:0x7ff71f840000
                                                                                                                                                                                                                                        File size:3'749'328 bytes
                                                                                                                                                                                                                                        MD5 hash:9909D978B39FB7369F511D8506C17CA0
                                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:39
                                                                                                                                                                                                                                        Start time:07:40:28
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\117.0.2045.47\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\BitComet\EBWebView" --webview-exe-name=BitComet.exe --webview-exe-version=2.07 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --disable-nacl --disable-gpu-compositing --lang=en-GB --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=en_CH" --time-ticks-at-unix-epoch=-1713846190060310 --launch-time-ticks=4638180191 --mojo-platform-channel-handle=4708 --field-trial-handle=1796,i,2359236077227598348,11370881663069320587,262144 --enable-features=MojoIpcz /prefetch:1
                                                                                                                                                                                                                                        Imagebase:0x7ff71f840000
                                                                                                                                                                                                                                        File size:3'749'328 bytes
                                                                                                                                                                                                                                        MD5 hash:9909D978B39FB7369F511D8506C17CA0
                                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:40
                                                                                                                                                                                                                                        Start time:07:40:28
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Program Files\BitComet\tools\UPNP.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:"C:\Program Files\BitComet\tools\UPNP.exe" -add -app BitComet -lanip 192.168.2.6 -tcpport 7319 -udpport 7319 -q
                                                                                                                                                                                                                                        Imagebase:0x490000
                                                                                                                                                                                                                                        File size:820'528 bytes
                                                                                                                                                                                                                                        MD5 hash:FEBBAF0C03103A63E0141A96535B7745
                                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:57
                                                                                                                                                                                                                                        Start time:07:40:47
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:
                                                                                                                                                                                                                                        Has administrator privileges:
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        Disassembly

                                                                                                                                                                                                                                        Reset < >

                                                                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                                                                          Function 0018F78B Relevance: 6.5, Strings: 5, Instructions: 281COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3179428313.000000000018F000.00000004.00000010.00020000.00000000.sdmp, Offset: 0018F000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_18f000_SecuriteInfo.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: /a$H=L=$T=X=$`=d=$t=x=
                                                                                                                                                                                                                                          • API String ID: 0-2244373552
                                                                                                                                                                                                                                          • Opcode ID: a97b22695840a4f33c24d1a527fc1f0c42b0e30fa4900aa9bc78c81e98a5270c
                                                                                                                                                                                                                                          • Instruction ID: 5421b8c08c7acee1c1a7e77c5849d730e9c0e213f17a993f68c7538eccd7c975
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a97b22695840a4f33c24d1a527fc1f0c42b0e30fa4900aa9bc78c81e98a5270c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E281E12285D7C29FC7131B7488A91D47FB19E1762176A0ADFC0D0CF5A3E206498BCBA3
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Execution Graph

                                                                                                                                                                                                                                          Execution Coverage:21.5%
                                                                                                                                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                          Signature Coverage:20%
                                                                                                                                                                                                                                          Total number of Nodes:1368
                                                                                                                                                                                                                                          Total number of Limit Nodes:32
                                                                                                                                                                                                                                          execution_graph 3189 401941 3190 401943 3189->3190 3195 402c41 3190->3195 3196 402c4d 3195->3196 3237 40640a 3196->3237 3199 401948 3201 405afa 3199->3201 3279 405dc5 3201->3279 3204 405b22 DeleteFileW 3234 401951 3204->3234 3205 405b39 3206 405c59 3205->3206 3293 4063e8 lstrcpynW 3205->3293 3206->3234 3323 40672b FindFirstFileW 3206->3323 3208 405b5f 3209 405b72 3208->3209 3210 405b65 lstrcatW 3208->3210 3294 405d09 lstrlenW 3209->3294 3211 405b78 3210->3211 3214 405b88 lstrcatW 3211->3214 3216 405b93 lstrlenW FindFirstFileW 3211->3216 3214->3216 3216->3206 3226 405bb5 3216->3226 3219 405ab2 5 API calls 3222 405c94 3219->3222 3221 405c3c FindNextFileW 3223 405c52 FindClose 3221->3223 3221->3226 3224 405c98 3222->3224 3225 405cae 3222->3225 3223->3206 3229 405450 24 API calls 3224->3229 3224->3234 3228 405450 24 API calls 3225->3228 3226->3221 3230 405afa 60 API calls 3226->3230 3232 405450 24 API calls 3226->3232 3298 4063e8 lstrcpynW 3226->3298 3299 405ab2 3226->3299 3307 405450 3226->3307 3318 4061ae MoveFileExW 3226->3318 3228->3234 3231 405ca5 3229->3231 3230->3226 3233 4061ae 36 API calls 3231->3233 3232->3221 3233->3234 3245 406417 3237->3245 3238 406662 3239 402c6e 3238->3239 3270 4063e8 lstrcpynW 3238->3270 3239->3199 3254 40667c 3239->3254 3241 406630 lstrlenW 3241->3245 3242 40640a 10 API calls 3242->3241 3245->3238 3245->3241 3245->3242 3246 406545 GetSystemDirectoryW 3245->3246 3248 406558 GetWindowsDirectoryW 3245->3248 3249 40667c 5 API calls 3245->3249 3250 40640a 10 API calls 3245->3250 3251 4065d3 lstrcatW 3245->3251 3252 40658c SHGetSpecialFolderLocation 3245->3252 3263 4062b6 3245->3263 3268 40632f wsprintfW 3245->3268 3269 4063e8 lstrcpynW 3245->3269 3246->3245 3248->3245 3249->3245 3250->3245 3251->3245 3252->3245 3253 4065a4 SHGetPathFromIDListW CoTaskMemFree 3252->3253 3253->3245 3255 406689 3254->3255 3257 4066f2 CharNextW 3255->3257 3260 4066ff 3255->3260 3261 4066de CharNextW 3255->3261 3262 4066ed CharNextW 3255->3262 3275 405cea 3255->3275 3256 406704 CharPrevW 3256->3260 3257->3255 3257->3260 3258 406725 3258->3199 3260->3256 3260->3258 3261->3255 3262->3257 3271 406255 3263->3271 3266 4062ea RegQueryValueExW RegCloseKey 3267 40631a 3266->3267 3267->3245 3268->3245 3269->3245 3270->3239 3272 406264 3271->3272 3273 406268 3272->3273 3274 40626d RegOpenKeyExW 3272->3274 3273->3266 3273->3267 3274->3273 3276 405cf0 3275->3276 3277 405d06 3276->3277 3278 405cf7 CharNextW 3276->3278 3277->3255 3278->3276 3329 4063e8 lstrcpynW 3279->3329 3281 405dd6 3330 405d68 CharNextW CharNextW 3281->3330 3284 405b1a 3284->3204 3284->3205 3285 40667c 5 API calls 3291 405dec 3285->3291 3286 405e1d lstrlenW 3287 405e28 3286->3287 3286->3291 3289 405cbd 3 API calls 3287->3289 3288 40672b 2 API calls 3288->3291 3290 405e2d GetFileAttributesW 3289->3290 3290->3284 3291->3284 3291->3286 3291->3288 3292 405d09 2 API calls 3291->3292 3292->3286 3293->3208 3295 405d17 3294->3295 3296 405d29 3295->3296 3297 405d1d CharPrevW 3295->3297 3296->3211 3297->3295 3297->3296 3298->3226 3336 405eb9 GetFileAttributesW 3299->3336 3302 405ad5 DeleteFileW 3304 405adb 3302->3304 3303 405acd RemoveDirectoryW 3303->3304 3305 405adf 3304->3305 3306 405aeb SetFileAttributesW 3304->3306 3305->3226 3306->3305 3308 40546b 3307->3308 3317 40550d 3307->3317 3309 405487 lstrlenW 3308->3309 3310 40640a 17 API calls 3308->3310 3311 4054b0 3309->3311 3312 405495 lstrlenW 3309->3312 3310->3309 3314 4054c3 3311->3314 3315 4054b6 SetWindowTextW 3311->3315 3313 4054a7 lstrcatW 3312->3313 3312->3317 3313->3311 3316 4054c9 SendMessageW SendMessageW SendMessageW 3314->3316 3314->3317 3315->3314 3316->3317 3317->3226 3319 4061d1 3318->3319 3320 4061c2 3318->3320 3319->3226 3339 406034 3320->3339 3324 406741 FindClose 3323->3324 3325 405c7e 3323->3325 3324->3325 3325->3234 3326 405cbd lstrlenW CharPrevW 3325->3326 3327 405c88 3326->3327 3328 405cd9 lstrcatW 3326->3328 3327->3219 3328->3327 3329->3281 3331 405d85 3330->3331 3335 405d97 3330->3335 3332 405d92 CharNextW 3331->3332 3331->3335 3333 405dbb 3332->3333 3333->3284 3333->3285 3334 405cea CharNextW 3334->3335 3335->3333 3335->3334 3337 405abe 3336->3337 3338 405ecb SetFileAttributesW 3336->3338 3337->3302 3337->3303 3337->3305 3338->3337 3340 406064 3339->3340 3341 40608a GetShortPathNameW 3339->3341 3366 405ede GetFileAttributesW CreateFileW 3340->3366 3343 4061a9 3341->3343 3344 40609f 3341->3344 3343->3319 3344->3343 3346 4060a7 wsprintfA 3344->3346 3345 40606e CloseHandle GetShortPathNameW 3345->3343 3347 406082 3345->3347 3348 40640a 17 API calls 3346->3348 3347->3341 3347->3343 3349 4060cf 3348->3349 3367 405ede GetFileAttributesW CreateFileW 3349->3367 3351 4060dc 3351->3343 3352 4060eb GetFileSize GlobalAlloc 3351->3352 3353 4061a2 CloseHandle 3352->3353 3354 40610d 3352->3354 3353->3343 3368 405f61 ReadFile 3354->3368 3359 406140 3361 405e43 4 API calls 3359->3361 3360 40612c lstrcpyA 3362 40614e 3360->3362 3361->3362 3363 406185 SetFilePointer 3362->3363 3375 405f90 WriteFile 3363->3375 3366->3345 3367->3351 3369 405f7f 3368->3369 3369->3353 3370 405e43 lstrlenA 3369->3370 3371 405e84 lstrlenA 3370->3371 3372 405e8c 3371->3372 3373 405e5d lstrcmpiA 3371->3373 3372->3359 3372->3360 3373->3372 3374 405e7b CharNextA 3373->3374 3374->3371 3376 405fae GlobalFree 3375->3376 3376->3353 3377 4015c1 3378 402c41 17 API calls 3377->3378 3379 4015c8 3378->3379 3380 405d68 4 API calls 3379->3380 3390 4015d1 3380->3390 3381 401631 3383 401663 3381->3383 3384 401636 3381->3384 3382 405cea CharNextW 3382->3390 3386 401423 24 API calls 3383->3386 3404 401423 3384->3404 3394 40165b 3386->3394 3390->3381 3390->3382 3393 401617 GetFileAttributesW 3390->3393 3396 4059b9 3390->3396 3399 40591f CreateDirectoryW 3390->3399 3408 40599c CreateDirectoryW 3390->3408 3392 40164a SetCurrentDirectoryW 3392->3394 3393->3390 3411 4067c2 GetModuleHandleA 3396->3411 3400 405970 GetLastError 3399->3400 3401 40596c 3399->3401 3400->3401 3402 40597f SetFileSecurityW 3400->3402 3401->3390 3402->3401 3403 405995 GetLastError 3402->3403 3403->3401 3405 405450 24 API calls 3404->3405 3406 401431 3405->3406 3407 4063e8 lstrcpynW 3406->3407 3407->3392 3409 4059b0 GetLastError 3408->3409 3410 4059ac 3408->3410 3409->3410 3410->3390 3412 4067e8 GetProcAddress 3411->3412 3413 4067de 3411->3413 3415 4059c0 3412->3415 3417 406752 GetSystemDirectoryW 3413->3417 3415->3390 3416 4067e4 3416->3412 3416->3415 3418 406774 wsprintfW LoadLibraryExW 3417->3418 3418->3416 3994 4053c4 3995 4053d4 3994->3995 3996 4053e8 3994->3996 3997 405431 3995->3997 3998 4053da 3995->3998 3999 4053f0 IsWindowVisible 3996->3999 4005 405407 3996->4005 4000 405436 CallWindowProcW 3997->4000 4001 4043ab SendMessageW 3998->4001 3999->3997 4002 4053fd 3999->4002 4003 4053e4 4000->4003 4001->4003 4007 404d1a SendMessageW 4002->4007 4005->4000 4012 404d9a 4005->4012 4008 404d79 SendMessageW 4007->4008 4009 404d3d GetMessagePos ScreenToClient SendMessageW 4007->4009 4010 404d71 4008->4010 4009->4010 4011 404d76 4009->4011 4010->4005 4011->4008 4021 4063e8 lstrcpynW 4012->4021 4014 404dad 4022 40632f wsprintfW 4014->4022 4016 404db7 4017 40140b 2 API calls 4016->4017 4018 404dc0 4017->4018 4023 4063e8 lstrcpynW 4018->4023 4020 404dc7 4020->3997 4021->4014 4022->4016 4023->4020 4024 401e49 4025 402c1f 17 API calls 4024->4025 4026 401e4f 4025->4026 4027 402c1f 17 API calls 4026->4027 4028 401e5b 4027->4028 4029 401e72 EnableWindow 4028->4029 4030 401e67 ShowWindow 4028->4030 4031 402ac5 4029->4031 4030->4031 4032 40264a 4033 402c1f 17 API calls 4032->4033 4040 402659 4033->4040 4034 4026a3 ReadFile 4034->4040 4044 402796 4034->4044 4035 405f61 ReadFile 4035->4040 4036 4026e3 MultiByteToWideChar 4036->4040 4037 402798 4054 40632f wsprintfW 4037->4054 4040->4034 4040->4035 4040->4036 4040->4037 4041 402709 SetFilePointer MultiByteToWideChar 4040->4041 4042 4027a9 4040->4042 4040->4044 4045 405fbf SetFilePointer 4040->4045 4041->4040 4043 4027ca SetFilePointer 4042->4043 4042->4044 4043->4044 4046 405fdb 4045->4046 4053 405ff3 4045->4053 4047 405f61 ReadFile 4046->4047 4048 405fe7 4047->4048 4049 406024 SetFilePointer 4048->4049 4050 405ffc SetFilePointer 4048->4050 4048->4053 4049->4053 4050->4049 4051 406007 4050->4051 4052 405f90 WriteFile 4051->4052 4052->4053 4053->4040 4054->4044 4058 404dcc GetDlgItem GetDlgItem 4059 404e1e 7 API calls 4058->4059 4068 405037 4058->4068 4060 404ec1 DeleteObject 4059->4060 4061 404eb4 SendMessageW 4059->4061 4062 404eca 4060->4062 4061->4060 4063 404f01 4062->4063 4067 40640a 17 API calls 4062->4067 4109 40435f 4063->4109 4064 40511b 4066 4051c7 4064->4066 4075 405174 SendMessageW 4064->4075 4101 40502a 4064->4101 4070 4051d1 SendMessageW 4066->4070 4071 4051d9 4066->4071 4072 404ee3 SendMessageW SendMessageW 4067->4072 4068->4064 4073 404d1a 5 API calls 4068->4073 4092 4050a8 4068->4092 4069 404f15 4074 40435f 18 API calls 4069->4074 4070->4071 4078 4051f2 4071->4078 4079 4051eb ImageList_Destroy 4071->4079 4095 405202 4071->4095 4072->4062 4073->4092 4094 404f23 4074->4094 4080 405189 SendMessageW 4075->4080 4075->4101 4077 40510d SendMessageW 4077->4064 4082 4051fb GlobalFree 4078->4082 4078->4095 4079->4078 4084 40519c 4080->4084 4082->4095 4083 404ff8 GetWindowLongW SetWindowLongW 4086 405011 4083->4086 4096 4051ad SendMessageW 4084->4096 4085 405371 4087 405383 ShowWindow GetDlgItem ShowWindow 4085->4087 4085->4101 4088 405017 ShowWindow 4086->4088 4089 40502f 4086->4089 4087->4101 4112 404394 SendMessageW 4088->4112 4113 404394 SendMessageW 4089->4113 4092->4064 4092->4077 4093 404f73 SendMessageW 4093->4094 4094->4083 4094->4093 4097 404ff2 4094->4097 4098 404fc0 SendMessageW 4094->4098 4099 404faf SendMessageW 4094->4099 4095->4085 4100 404d9a 4 API calls 4095->4100 4105 40523d 4095->4105 4096->4066 4097->4083 4097->4086 4098->4094 4099->4094 4100->4105 4117 4043c6 4101->4117 4102 405347 InvalidateRect 4102->4085 4103 40535d 4102->4103 4114 404cd5 4103->4114 4104 40526b SendMessageW 4108 405281 4104->4108 4105->4104 4105->4108 4107 4052f5 SendMessageW SendMessageW 4107->4108 4108->4102 4108->4107 4110 40640a 17 API calls 4109->4110 4111 40436a SetDlgItemTextW 4110->4111 4111->4069 4112->4101 4113->4068 4131 404c0c 4114->4131 4116 404cea 4116->4085 4118 404489 4117->4118 4119 4043de GetWindowLongW 4117->4119 4119->4118 4120 4043f3 4119->4120 4120->4118 4121 404420 GetSysColor 4120->4121 4122 404423 4120->4122 4121->4122 4123 404433 SetBkMode 4122->4123 4124 404429 SetTextColor 4122->4124 4125 404451 4123->4125 4126 40444b GetSysColor 4123->4126 4124->4123 4127 404458 SetBkColor 4125->4127 4128 404462 4125->4128 4126->4125 4127->4128 4128->4118 4129 404475 DeleteObject 4128->4129 4130 40447c CreateBrushIndirect 4128->4130 4129->4130 4130->4118 4132 404c25 4131->4132 4133 40640a 17 API calls 4132->4133 4134 404c89 4133->4134 4135 40640a 17 API calls 4134->4135 4136 404c94 4135->4136 4137 40640a 17 API calls 4136->4137 4138 404caa lstrlenW wsprintfW SetDlgItemTextW 4137->4138 4138->4116 4139 4016cc 4140 402c41 17 API calls 4139->4140 4141 4016d2 GetFullPathNameW 4140->4141 4142 4016ec 4141->4142 4148 40170e 4141->4148 4144 40672b 2 API calls 4142->4144 4142->4148 4143 401723 GetShortPathNameW 4145 402ac5 4143->4145 4146 4016fe 4144->4146 4146->4148 4149 4063e8 lstrcpynW 4146->4149 4148->4143 4148->4145 4149->4148 4150 40234e 4151 402c41 17 API calls 4150->4151 4152 40235d 4151->4152 4153 402c41 17 API calls 4152->4153 4154 402366 4153->4154 4155 402c41 17 API calls 4154->4155 4156 402370 GetPrivateProfileStringW 4155->4156 4157 4044cf lstrlenW 4158 4044f0 WideCharToMultiByte 4157->4158 4159 4044ee 4157->4159 4159->4158 4160 404850 4161 40487c 4160->4161 4162 40488d 4160->4162 4221 405a32 GetDlgItemTextW 4161->4221 4164 404899 GetDlgItem 4162->4164 4170 4048f8 4162->4170 4166 4048ad 4164->4166 4165 404887 4168 40667c 5 API calls 4165->4168 4169 4048c1 SetWindowTextW 4166->4169 4173 405d68 4 API calls 4166->4173 4167 4049dc 4219 404b8b 4167->4219 4223 405a32 GetDlgItemTextW 4167->4223 4168->4162 4174 40435f 18 API calls 4169->4174 4170->4167 4175 40640a 17 API calls 4170->4175 4170->4219 4172 4043c6 8 API calls 4177 404b9f 4172->4177 4178 4048b7 4173->4178 4179 4048dd 4174->4179 4180 40496c SHBrowseForFolderW 4175->4180 4176 404a0c 4181 405dc5 18 API calls 4176->4181 4178->4169 4187 405cbd 3 API calls 4178->4187 4182 40435f 18 API calls 4179->4182 4180->4167 4183 404984 CoTaskMemFree 4180->4183 4184 404a12 4181->4184 4185 4048eb 4182->4185 4186 405cbd 3 API calls 4183->4186 4224 4063e8 lstrcpynW 4184->4224 4222 404394 SendMessageW 4185->4222 4189 404991 4186->4189 4187->4169 4192 4049c8 SetDlgItemTextW 4189->4192 4196 40640a 17 API calls 4189->4196 4191 4048f1 4194 4067c2 5 API calls 4191->4194 4192->4167 4193 404a29 4195 4067c2 5 API calls 4193->4195 4194->4170 4197 404a30 4195->4197 4198 4049b0 lstrcmpiW 4196->4198 4199 404a71 4197->4199 4207 405d09 2 API calls 4197->4207 4209 404ac9 4197->4209 4198->4192 4201 4049c1 lstrcatW 4198->4201 4225 4063e8 lstrcpynW 4199->4225 4201->4192 4202 404a78 4203 405d68 4 API calls 4202->4203 4204 404a7e GetDiskFreeSpaceW 4203->4204 4206 404aa2 MulDiv 4204->4206 4204->4209 4206->4209 4207->4197 4208 404b3a 4211 404b5d 4208->4211 4213 40140b 2 API calls 4208->4213 4209->4208 4210 404cd5 20 API calls 4209->4210 4212 404b27 4210->4212 4226 404381 EnableWindow 4211->4226 4215 404b3c SetDlgItemTextW 4212->4215 4216 404b2c 4212->4216 4213->4211 4215->4208 4218 404c0c 20 API calls 4216->4218 4217 404b79 4217->4219 4227 4047a9 4217->4227 4218->4208 4219->4172 4221->4165 4222->4191 4223->4176 4224->4193 4225->4202 4226->4217 4228 4047b7 4227->4228 4229 4047bc SendMessageW 4227->4229 4228->4229 4229->4219 4230 401b53 4231 402c41 17 API calls 4230->4231 4232 401b5a 4231->4232 4233 402c1f 17 API calls 4232->4233 4234 401b63 wsprintfW 4233->4234 4235 402ac5 4234->4235 4236 401956 4237 402c41 17 API calls 4236->4237 4238 40195d lstrlenW 4237->4238 4239 402592 4238->4239 4247 4014d7 4248 402c1f 17 API calls 4247->4248 4249 4014dd Sleep 4248->4249 4251 402ac5 4249->4251 4252 401f58 4253 402c41 17 API calls 4252->4253 4254 401f5f 4253->4254 4255 40672b 2 API calls 4254->4255 4256 401f65 4255->4256 4258 401f76 4256->4258 4259 40632f wsprintfW 4256->4259 4259->4258 4260 402259 4261 402c41 17 API calls 4260->4261 4262 40225f 4261->4262 4263 402c41 17 API calls 4262->4263 4264 402268 4263->4264 4265 402c41 17 API calls 4264->4265 4266 402271 4265->4266 4267 40672b 2 API calls 4266->4267 4268 40227a 4267->4268 4269 40228b lstrlenW lstrlenW 4268->4269 4270 40227e 4268->4270 4272 405450 24 API calls 4269->4272 4271 405450 24 API calls 4270->4271 4274 402286 4270->4274 4271->4274 4273 4022c9 SHFileOperationW 4272->4273 4273->4270 4273->4274 3988 40175c 3989 402c41 17 API calls 3988->3989 3990 401763 3989->3990 3991 405f0d 2 API calls 3990->3991 3992 40176a 3991->3992 3993 405f0d 2 API calls 3992->3993 3993->3992 4275 401d5d GetDlgItem GetClientRect 4276 402c41 17 API calls 4275->4276 4277 401d8f LoadImageW SendMessageW 4276->4277 4278 401dad DeleteObject 4277->4278 4279 402ac5 4277->4279 4278->4279 4280 4022dd 4281 4022e4 4280->4281 4284 4022f7 4280->4284 4282 40640a 17 API calls 4281->4282 4283 4022f1 4282->4283 4285 405a4e MessageBoxIndirectW 4283->4285 4285->4284 4286 401563 4287 402a6b 4286->4287 4290 40632f wsprintfW 4287->4290 4289 402a70 4290->4289 3420 4023e4 3421 402c41 17 API calls 3420->3421 3422 4023f6 3421->3422 3423 402c41 17 API calls 3422->3423 3424 402400 3423->3424 3437 402cd1 3424->3437 3427 402ac5 3428 402438 3433 402444 3428->3433 3441 402c1f 3428->3441 3429 402c41 17 API calls 3430 40242e lstrlenW 3429->3430 3430->3428 3432 402463 RegSetValueExW 3435 402479 RegCloseKey 3432->3435 3433->3432 3444 4031d6 3433->3444 3435->3427 3438 402cec 3437->3438 3459 406283 3438->3459 3442 40640a 17 API calls 3441->3442 3443 402c34 3442->3443 3443->3433 3445 403201 3444->3445 3446 4031e5 SetFilePointer 3444->3446 3463 4032de GetTickCount 3445->3463 3446->3445 3449 405f61 ReadFile 3450 403221 3449->3450 3451 4032de 42 API calls 3450->3451 3453 40329e 3450->3453 3452 403238 3451->3452 3452->3453 3454 4032a4 ReadFile 3452->3454 3456 403247 3452->3456 3453->3432 3454->3453 3456->3453 3457 405f61 ReadFile 3456->3457 3458 405f90 WriteFile 3456->3458 3457->3456 3458->3456 3460 406292 3459->3460 3461 402410 3460->3461 3462 40629d RegCreateKeyExW 3460->3462 3461->3427 3461->3428 3461->3429 3462->3461 3464 403436 3463->3464 3465 40330c 3463->3465 3466 402e8e 32 API calls 3464->3466 3476 40345d SetFilePointer 3465->3476 3472 403208 3466->3472 3468 403317 SetFilePointer 3474 40333c 3468->3474 3472->3449 3472->3453 3473 405f90 WriteFile 3473->3474 3474->3472 3474->3473 3475 403417 SetFilePointer 3474->3475 3477 403447 3474->3477 3480 406943 3474->3480 3487 402e8e 3474->3487 3475->3464 3476->3468 3478 405f61 ReadFile 3477->3478 3479 40345a 3478->3479 3479->3474 3481 406968 3480->3481 3482 406970 3480->3482 3481->3474 3482->3481 3483 406a00 GlobalAlloc 3482->3483 3484 4069f7 GlobalFree 3482->3484 3485 406a77 GlobalAlloc 3482->3485 3486 406a6e GlobalFree 3482->3486 3483->3481 3483->3482 3484->3483 3485->3481 3485->3482 3486->3485 3488 402eb7 3487->3488 3489 402e9f 3487->3489 3491 402ec7 GetTickCount 3488->3491 3492 402ebf 3488->3492 3490 402ea8 DestroyWindow 3489->3490 3495 402eaf 3489->3495 3490->3495 3494 402ed5 3491->3494 3491->3495 3502 4067fe 3492->3502 3496 402f0a CreateDialogParamW ShowWindow 3494->3496 3497 402edd 3494->3497 3495->3474 3496->3495 3497->3495 3506 402e72 3497->3506 3499 402eeb wsprintfW 3500 405450 24 API calls 3499->3500 3501 402f08 3500->3501 3501->3495 3503 40681b PeekMessageW 3502->3503 3504 406811 DispatchMessageW 3503->3504 3505 40682b 3503->3505 3504->3503 3505->3495 3507 402e81 3506->3507 3508 402e83 MulDiv 3506->3508 3507->3508 3508->3499 3783 4039e6 3784 403a01 3783->3784 3785 4039f7 CloseHandle 3783->3785 3786 403a15 3784->3786 3787 403a0b CloseHandle 3784->3787 3785->3784 3792 403a43 3786->3792 3787->3786 3790 405afa 67 API calls 3791 403a26 3790->3791 3793 403a51 3792->3793 3794 403a1a 3793->3794 3795 403a56 FreeLibrary GlobalFree 3793->3795 3794->3790 3795->3794 3795->3795 4298 401968 4299 402c1f 17 API calls 4298->4299 4300 40196f 4299->4300 4301 402c1f 17 API calls 4300->4301 4302 40197c 4301->4302 4303 402c41 17 API calls 4302->4303 4304 401993 lstrlenW 4303->4304 4306 4019a4 4304->4306 4305 4019e5 4306->4305 4310 4063e8 lstrcpynW 4306->4310 4308 4019d5 4308->4305 4309 4019da lstrlenW 4308->4309 4309->4305 4310->4308 4311 402868 4312 402c41 17 API calls 4311->4312 4313 40286f FindFirstFileW 4312->4313 4314 402897 4313->4314 4317 402882 4313->4317 4319 40632f wsprintfW 4314->4319 4316 4028a0 4320 4063e8 lstrcpynW 4316->4320 4319->4316 4320->4317 4321 40166a 4322 402c41 17 API calls 4321->4322 4323 401670 4322->4323 4324 40672b 2 API calls 4323->4324 4325 401676 4324->4325 3890 40176f 3891 402c41 17 API calls 3890->3891 3892 401776 3891->3892 3893 401796 3892->3893 3894 40179e 3892->3894 3929 4063e8 lstrcpynW 3893->3929 3930 4063e8 lstrcpynW 3894->3930 3897 40179c 3901 40667c 5 API calls 3897->3901 3898 4017a9 3899 405cbd 3 API calls 3898->3899 3900 4017af lstrcatW 3899->3900 3900->3897 3918 4017bb 3901->3918 3902 40672b 2 API calls 3902->3918 3903 405eb9 2 API calls 3903->3918 3905 4017cd CompareFileTime 3905->3918 3906 40188d 3908 405450 24 API calls 3906->3908 3907 401864 3909 405450 24 API calls 3907->3909 3917 401879 3907->3917 3910 401897 3908->3910 3909->3917 3911 4031d6 44 API calls 3910->3911 3912 4018aa 3911->3912 3913 4018be SetFileTime 3912->3913 3914 4018d0 FindCloseChangeNotification 3912->3914 3913->3914 3916 4018e1 3914->3916 3914->3917 3915 40640a 17 API calls 3915->3918 3919 4018e6 3916->3919 3920 4018f9 3916->3920 3918->3902 3918->3903 3918->3905 3918->3906 3918->3907 3918->3915 3921 4063e8 lstrcpynW 3918->3921 3924 405a4e MessageBoxIndirectW 3918->3924 3928 405ede GetFileAttributesW CreateFileW 3918->3928 3922 40640a 17 API calls 3919->3922 3923 40640a 17 API calls 3920->3923 3921->3918 3925 4018ee lstrcatW 3922->3925 3926 401901 3923->3926 3924->3918 3925->3926 3927 405a4e MessageBoxIndirectW 3926->3927 3927->3917 3928->3918 3929->3897 3930->3898 4326 4027ef 4327 4027f6 4326->4327 4329 402a70 4326->4329 4328 402c1f 17 API calls 4327->4328 4330 4027fd 4328->4330 4331 40280c SetFilePointer 4330->4331 4331->4329 4332 40281c 4331->4332 4334 40632f wsprintfW 4332->4334 4334->4329 4335 401a72 4336 402c1f 17 API calls 4335->4336 4337 401a7b 4336->4337 4338 402c1f 17 API calls 4337->4338 4339 401a20 4338->4339 4340 406af2 4341 406976 4340->4341 4342 4072e1 4341->4342 4343 406a00 GlobalAlloc 4341->4343 4344 4069f7 GlobalFree 4341->4344 4345 406a77 GlobalAlloc 4341->4345 4346 406a6e GlobalFree 4341->4346 4343->4341 4343->4342 4344->4343 4345->4341 4345->4342 4346->4345 4347 401573 4348 401583 ShowWindow 4347->4348 4349 40158c 4347->4349 4348->4349 4350 402ac5 4349->4350 4351 40159a ShowWindow 4349->4351 4351->4350 4352 402df3 4353 402e05 SetTimer 4352->4353 4354 402e1e 4352->4354 4353->4354 4355 402e6c 4354->4355 4356 402e72 MulDiv 4354->4356 4357 402e2c wsprintfW SetWindowTextW SetDlgItemTextW 4356->4357 4357->4355 4359 401cf3 4360 402c1f 17 API calls 4359->4360 4361 401cf9 IsWindow 4360->4361 4362 401a20 4361->4362 4363 4014f5 SetForegroundWindow 4364 402ac5 4363->4364 4365 402576 4366 402c41 17 API calls 4365->4366 4367 40257d 4366->4367 4370 405ede GetFileAttributesW CreateFileW 4367->4370 4369 402589 4370->4369 3954 401b77 3955 401b84 3954->3955 3956 401bc8 3954->3956 3959 4022e4 3955->3959 3965 401b9b 3955->3965 3957 401bf2 GlobalAlloc 3956->3957 3958 401bcd 3956->3958 3960 40640a 17 API calls 3957->3960 3962 401c0d 3958->3962 3973 4063e8 lstrcpynW 3958->3973 3961 40640a 17 API calls 3959->3961 3960->3962 3964 4022f1 3961->3964 3969 405a4e MessageBoxIndirectW 3964->3969 3974 4063e8 lstrcpynW 3965->3974 3966 401bdf GlobalFree 3966->3962 3968 401baa 3975 4063e8 lstrcpynW 3968->3975 3969->3962 3971 401bb9 3976 4063e8 lstrcpynW 3971->3976 3973->3966 3974->3968 3975->3971 3976->3962 3977 4024f8 3978 402c81 17 API calls 3977->3978 3979 402502 3978->3979 3980 402c1f 17 API calls 3979->3980 3981 40250b 3980->3981 3982 402533 RegEnumValueW 3981->3982 3983 402527 RegEnumKeyW 3981->3983 3986 40288b 3981->3986 3984 40254f RegCloseKey 3982->3984 3985 402548 3982->3985 3983->3984 3984->3986 3985->3984 4371 40167b 4372 402c41 17 API calls 4371->4372 4373 401682 4372->4373 4374 402c41 17 API calls 4373->4374 4375 40168b 4374->4375 4376 402c41 17 API calls 4375->4376 4377 401694 MoveFileW 4376->4377 4378 4016a0 4377->4378 4379 4016a7 4377->4379 4381 401423 24 API calls 4378->4381 4380 40672b 2 API calls 4379->4380 4383 402250 4379->4383 4382 4016b6 4380->4382 4381->4383 4382->4383 4384 4061ae 36 API calls 4382->4384 4384->4378 4392 401e7d 4393 402c41 17 API calls 4392->4393 4394 401e83 4393->4394 4395 402c41 17 API calls 4394->4395 4396 401e8c 4395->4396 4397 402c41 17 API calls 4396->4397 4398 401e95 4397->4398 4399 402c41 17 API calls 4398->4399 4400 401e9e 4399->4400 4401 401423 24 API calls 4400->4401 4402 401ea5 4401->4402 4409 405a14 ShellExecuteExW 4402->4409 4404 401ee7 4405 406873 5 API calls 4404->4405 4407 40288b 4404->4407 4406 401f01 CloseHandle 4405->4406 4406->4407 4409->4404 4410 4019ff 4411 402c41 17 API calls 4410->4411 4412 401a06 4411->4412 4413 402c41 17 API calls 4412->4413 4414 401a0f 4413->4414 4415 401a16 lstrcmpiW 4414->4415 4416 401a28 lstrcmpW 4414->4416 4417 401a1c 4415->4417 4416->4417 4418 401000 4419 401037 BeginPaint GetClientRect 4418->4419 4420 40100c DefWindowProcW 4418->4420 4422 4010f3 4419->4422 4423 401179 4420->4423 4424 401073 CreateBrushIndirect FillRect DeleteObject 4422->4424 4425 4010fc 4422->4425 4424->4422 4426 401102 CreateFontIndirectW 4425->4426 4427 401167 EndPaint 4425->4427 4426->4427 4428 401112 6 API calls 4426->4428 4427->4423 4428->4427 4429 401503 4430 40150b 4429->4430 4432 40151e 4429->4432 4431 402c1f 17 API calls 4430->4431 4431->4432 3509 402104 3510 402c41 17 API calls 3509->3510 3511 40210b 3510->3511 3512 402c41 17 API calls 3511->3512 3513 402115 3512->3513 3514 402c41 17 API calls 3513->3514 3515 40211f 3514->3515 3516 402c41 17 API calls 3515->3516 3517 402129 3516->3517 3518 402c41 17 API calls 3517->3518 3520 402133 3518->3520 3519 402172 CoCreateInstance 3524 402191 3519->3524 3520->3519 3521 402c41 17 API calls 3520->3521 3521->3519 3522 401423 24 API calls 3523 402250 3522->3523 3524->3522 3524->3523 3525 402484 3536 402c81 3525->3536 3528 402c41 17 API calls 3529 402497 3528->3529 3530 4024a2 RegQueryValueExW 3529->3530 3535 40288b 3529->3535 3531 4024c8 RegCloseKey 3530->3531 3532 4024c2 3530->3532 3531->3535 3532->3531 3541 40632f wsprintfW 3532->3541 3537 402c41 17 API calls 3536->3537 3538 402c98 3537->3538 3539 406255 RegOpenKeyExW 3538->3539 3540 40248e 3539->3540 3540->3528 3541->3531 3796 401f06 3797 402c41 17 API calls 3796->3797 3798 401f0c 3797->3798 3799 405450 24 API calls 3798->3799 3800 401f16 3799->3800 3801 4059d1 2 API calls 3800->3801 3802 401f1c 3801->3802 3803 401f3f CloseHandle 3802->3803 3807 40288b 3802->3807 3811 406873 WaitForSingleObject 3802->3811 3803->3807 3806 401f31 3808 401f41 3806->3808 3809 401f36 3806->3809 3808->3803 3816 40632f wsprintfW 3809->3816 3812 40688d 3811->3812 3813 40689f GetExitCodeProcess 3812->3813 3814 4067fe 2 API calls 3812->3814 3813->3806 3815 406894 WaitForSingleObject 3814->3815 3815->3812 3816->3803 4433 403e86 4434 403fd9 4433->4434 4435 403e9e 4433->4435 4437 403fea GetDlgItem GetDlgItem 4434->4437 4452 40402a 4434->4452 4435->4434 4436 403eaa 4435->4436 4438 403eb5 SetWindowPos 4436->4438 4439 403ec8 4436->4439 4440 40435f 18 API calls 4437->4440 4438->4439 4442 403ee5 4439->4442 4443 403ecd ShowWindow 4439->4443 4444 404014 SetClassLongW 4440->4444 4441 4043ab SendMessageW 4472 404096 4441->4472 4447 403f07 4442->4447 4448 403eed DestroyWindow 4442->4448 4443->4442 4449 40140b 2 API calls 4444->4449 4445 404084 4445->4441 4446 403fd4 4445->4446 4453 403f0c SetWindowLongW 4447->4453 4454 403f1d 4447->4454 4451 4042e8 4448->4451 4449->4452 4450 401389 2 API calls 4455 40405c 4450->4455 4451->4446 4462 404319 ShowWindow 4451->4462 4452->4445 4452->4450 4453->4446 4459 403f94 4454->4459 4460 403f29 GetDlgItem 4454->4460 4455->4445 4456 404060 SendMessageW 4455->4456 4456->4446 4457 40140b 2 API calls 4457->4472 4458 4042ea DestroyWindow EndDialog 4458->4451 4461 4043c6 8 API calls 4459->4461 4463 403f59 4460->4463 4464 403f3c SendMessageW IsWindowEnabled 4460->4464 4461->4446 4462->4446 4466 403f66 4463->4466 4467 403fad SendMessageW 4463->4467 4468 403f79 4463->4468 4476 403f5e 4463->4476 4464->4446 4464->4463 4465 40640a 17 API calls 4465->4472 4466->4467 4466->4476 4467->4459 4470 403f81 4468->4470 4471 403f96 4468->4471 4473 40140b 2 API calls 4470->4473 4474 40140b 2 API calls 4471->4474 4472->4446 4472->4457 4472->4458 4472->4465 4475 40435f 18 API calls 4472->4475 4477 40435f 18 API calls 4472->4477 4493 40422a DestroyWindow 4472->4493 4473->4476 4474->4476 4475->4472 4476->4459 4502 404338 4476->4502 4478 404111 GetDlgItem 4477->4478 4479 404126 4478->4479 4480 40412e ShowWindow EnableWindow 4478->4480 4479->4480 4505 404381 EnableWindow 4480->4505 4482 404158 EnableWindow 4487 40416c 4482->4487 4483 404171 GetSystemMenu EnableMenuItem SendMessageW 4484 4041a1 SendMessageW 4483->4484 4483->4487 4484->4487 4486 403e67 18 API calls 4486->4487 4487->4483 4487->4486 4506 404394 SendMessageW 4487->4506 4507 4063e8 lstrcpynW 4487->4507 4489 4041d0 lstrlenW 4490 40640a 17 API calls 4489->4490 4491 4041e6 SetWindowTextW 4490->4491 4492 401389 2 API calls 4491->4492 4492->4472 4493->4451 4494 404244 CreateDialogParamW 4493->4494 4494->4451 4495 404277 4494->4495 4496 40435f 18 API calls 4495->4496 4497 404282 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4496->4497 4498 401389 2 API calls 4497->4498 4499 4042c8 4498->4499 4499->4446 4500 4042d0 ShowWindow 4499->4500 4501 4043ab SendMessageW 4500->4501 4501->4451 4503 404345 SendMessageW 4502->4503 4504 40433f 4502->4504 4503->4459 4504->4503 4505->4482 4506->4487 4507->4489 3817 401389 3819 401390 3817->3819 3818 4013fe 3819->3818 3820 4013cb MulDiv SendMessageW 3819->3820 3820->3819 4508 404809 4509 404819 4508->4509 4510 40483f 4508->4510 4511 40435f 18 API calls 4509->4511 4512 4043c6 8 API calls 4510->4512 4513 404826 SetDlgItemTextW 4511->4513 4514 40484b 4512->4514 4513->4510 3821 40230c 3822 402314 3821->3822 3823 40231a 3821->3823 3824 402c41 17 API calls 3822->3824 3825 402c41 17 API calls 3823->3825 3827 402328 3823->3827 3824->3823 3825->3827 3826 402c41 17 API calls 3829 40233f WritePrivateProfileStringW 3826->3829 3828 402c41 17 API calls 3827->3828 3830 402336 3827->3830 3828->3830 3830->3826 4515 40190c 4516 401943 4515->4516 4517 402c41 17 API calls 4516->4517 4518 401948 4517->4518 4519 405afa 67 API calls 4518->4519 4520 401951 4519->4520 4521 401f8c 4522 402c41 17 API calls 4521->4522 4523 401f93 4522->4523 4524 4067c2 5 API calls 4523->4524 4525 401fa2 4524->4525 4526 401fbe GlobalAlloc 4525->4526 4528 402026 4525->4528 4527 401fd2 4526->4527 4526->4528 4529 4067c2 5 API calls 4527->4529 4530 401fd9 4529->4530 4531 4067c2 5 API calls 4530->4531 4532 401fe3 4531->4532 4532->4528 4536 40632f wsprintfW 4532->4536 4534 402018 4537 40632f wsprintfW 4534->4537 4536->4534 4537->4528 3861 40238e 3862 4023c1 3861->3862 3863 402396 3861->3863 3865 402c41 17 API calls 3862->3865 3864 402c81 17 API calls 3863->3864 3866 40239d 3864->3866 3867 4023c8 3865->3867 3868 4023a7 3866->3868 3872 4023d5 3866->3872 3873 402cff 3867->3873 3870 402c41 17 API calls 3868->3870 3871 4023ae RegDeleteValueW RegCloseKey 3870->3871 3871->3872 3874 402d13 3873->3874 3875 402d0c 3873->3875 3874->3875 3877 402d44 3874->3877 3875->3872 3878 406255 RegOpenKeyExW 3877->3878 3879 402d72 3878->3879 3880 402dec 3879->3880 3882 402d76 3879->3882 3880->3875 3881 402d98 RegEnumKeyW 3881->3882 3883 402daf RegCloseKey 3881->3883 3882->3881 3882->3883 3885 402dd0 RegCloseKey 3882->3885 3887 402d44 6 API calls 3882->3887 3884 4067c2 5 API calls 3883->3884 3886 402dbf 3884->3886 3885->3880 3888 402de0 RegDeleteKeyW 3886->3888 3889 402dc3 3886->3889 3887->3882 3888->3880 3889->3880 4538 40190f 4539 402c41 17 API calls 4538->4539 4540 401916 4539->4540 4541 405a4e MessageBoxIndirectW 4540->4541 4542 40191f 4541->4542 4543 40558f 4544 4055b0 GetDlgItem GetDlgItem GetDlgItem 4543->4544 4545 405739 4543->4545 4588 404394 SendMessageW 4544->4588 4547 405742 GetDlgItem CreateThread CloseHandle 4545->4547 4548 40576a 4545->4548 4547->4548 4550 405795 4548->4550 4551 405781 ShowWindow ShowWindow 4548->4551 4552 4057ba 4548->4552 4549 405620 4555 405627 GetClientRect GetSystemMetrics SendMessageW SendMessageW 4549->4555 4553 4057f5 4550->4553 4557 4057a9 4550->4557 4558 4057cf ShowWindow 4550->4558 4590 404394 SendMessageW 4551->4590 4554 4043c6 8 API calls 4552->4554 4553->4552 4564 405803 SendMessageW 4553->4564 4569 4057c8 4554->4569 4562 405695 4555->4562 4563 405679 SendMessageW SendMessageW 4555->4563 4559 404338 SendMessageW 4557->4559 4560 4057e1 4558->4560 4561 4057ef 4558->4561 4559->4552 4565 405450 24 API calls 4560->4565 4566 404338 SendMessageW 4561->4566 4567 4056a8 4562->4567 4568 40569a SendMessageW 4562->4568 4563->4562 4564->4569 4570 40581c CreatePopupMenu 4564->4570 4565->4561 4566->4553 4572 40435f 18 API calls 4567->4572 4568->4567 4571 40640a 17 API calls 4570->4571 4573 40582c AppendMenuW 4571->4573 4574 4056b8 4572->4574 4577 405849 GetWindowRect 4573->4577 4578 40585c TrackPopupMenu 4573->4578 4575 4056c1 ShowWindow 4574->4575 4576 4056f5 GetDlgItem SendMessageW 4574->4576 4579 4056e4 4575->4579 4580 4056d7 ShowWindow 4575->4580 4576->4569 4582 40571c SendMessageW SendMessageW 4576->4582 4577->4578 4578->4569 4581 405877 4578->4581 4589 404394 SendMessageW 4579->4589 4580->4579 4583 405893 SendMessageW 4581->4583 4582->4569 4583->4583 4584 4058b0 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4583->4584 4586 4058d5 SendMessageW 4584->4586 4586->4586 4587 4058fe GlobalUnlock SetClipboardData CloseClipboard 4586->4587 4587->4569 4588->4549 4589->4576 4590->4550 4591 401491 4592 405450 24 API calls 4591->4592 4593 401498 4592->4593 4601 401d14 4602 402c1f 17 API calls 4601->4602 4603 401d1b 4602->4603 4604 402c1f 17 API calls 4603->4604 4605 401d27 GetDlgItem 4604->4605 4606 402592 4605->4606 4607 404495 lstrcpynW lstrlenW 4608 403a96 4609 403aa1 4608->4609 4610 403aa5 4609->4610 4611 403aa8 GlobalAlloc 4609->4611 4611->4610 4612 402598 4613 4025c7 4612->4613 4614 4025ac 4612->4614 4615 4025fb 4613->4615 4616 4025cc 4613->4616 4617 402c1f 17 API calls 4614->4617 4619 402c41 17 API calls 4615->4619 4618 402c41 17 API calls 4616->4618 4625 4025b3 4617->4625 4620 4025d3 WideCharToMultiByte lstrlenA 4618->4620 4621 402602 lstrlenW 4619->4621 4620->4625 4621->4625 4622 40262f 4623 402645 4622->4623 4624 405f90 WriteFile 4622->4624 4624->4623 4625->4622 4625->4623 4626 405fbf 5 API calls 4625->4626 4626->4622 4627 40451e 4628 404536 4627->4628 4634 404650 4627->4634 4635 40435f 18 API calls 4628->4635 4629 4046ba 4630 404784 4629->4630 4631 4046c4 GetDlgItem 4629->4631 4636 4043c6 8 API calls 4630->4636 4632 404745 4631->4632 4633 4046de 4631->4633 4632->4630 4641 404757 4632->4641 4633->4632 4640 404704 SendMessageW LoadCursorW SetCursor 4633->4640 4634->4629 4634->4630 4637 40468b GetDlgItem SendMessageW 4634->4637 4638 40459d 4635->4638 4639 40477f 4636->4639 4660 404381 EnableWindow 4637->4660 4643 40435f 18 API calls 4638->4643 4661 4047cd 4640->4661 4646 40476d 4641->4646 4647 40475d SendMessageW 4641->4647 4644 4045aa CheckDlgButton 4643->4644 4658 404381 EnableWindow 4644->4658 4646->4639 4651 404773 SendMessageW 4646->4651 4647->4646 4648 4046b5 4652 4047a9 SendMessageW 4648->4652 4651->4639 4652->4629 4653 4045c8 GetDlgItem 4659 404394 SendMessageW 4653->4659 4655 4045de SendMessageW 4656 404604 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4655->4656 4657 4045fb GetSysColor 4655->4657 4656->4639 4657->4656 4658->4653 4659->4655 4660->4648 4664 405a14 ShellExecuteExW 4661->4664 4663 404733 LoadCursorW SetCursor 4663->4632 4664->4663 4665 40149e 4666 4022f7 4665->4666 4667 4014ac PostQuitMessage 4665->4667 4667->4666 4668 401c1f 4669 402c1f 17 API calls 4668->4669 4670 401c26 4669->4670 4671 402c1f 17 API calls 4670->4671 4672 401c33 4671->4672 4673 401c48 4672->4673 4674 402c41 17 API calls 4672->4674 4675 401c58 4673->4675 4676 402c41 17 API calls 4673->4676 4674->4673 4677 401c63 4675->4677 4678 401caf 4675->4678 4676->4675 4680 402c1f 17 API calls 4677->4680 4679 402c41 17 API calls 4678->4679 4681 401cb4 4679->4681 4682 401c68 4680->4682 4683 402c41 17 API calls 4681->4683 4684 402c1f 17 API calls 4682->4684 4685 401cbd FindWindowExW 4683->4685 4686 401c74 4684->4686 4689 401cdf 4685->4689 4687 401c81 SendMessageTimeoutW 4686->4687 4688 401c9f SendMessageW 4686->4688 4687->4689 4688->4689 4690 402aa0 SendMessageW 4691 402ac5 4690->4691 4692 402aba InvalidateRect 4690->4692 4692->4691 4693 402821 4694 402827 4693->4694 4695 402ac5 4694->4695 4696 40282f FindClose 4694->4696 4696->4695 4697 4015a3 4698 402c41 17 API calls 4697->4698 4699 4015aa SetFileAttributesW 4698->4699 4700 4015bc 4699->4700 3542 4034a5 SetErrorMode GetVersion 3543 4034e4 3542->3543 3544 4034ea 3542->3544 3545 4067c2 5 API calls 3543->3545 3546 406752 3 API calls 3544->3546 3545->3544 3547 403500 lstrlenA 3546->3547 3547->3544 3548 403510 3547->3548 3549 4067c2 5 API calls 3548->3549 3550 403517 3549->3550 3551 4067c2 5 API calls 3550->3551 3552 40351e 3551->3552 3553 4067c2 5 API calls 3552->3553 3554 40352a #17 OleInitialize SHGetFileInfoW 3553->3554 3632 4063e8 lstrcpynW 3554->3632 3557 403576 GetCommandLineW 3633 4063e8 lstrcpynW 3557->3633 3559 403588 3560 405cea CharNextW 3559->3560 3561 4035ad CharNextW 3560->3561 3562 4036d7 GetTempPathW 3561->3562 3570 4035c6 3561->3570 3634 403474 3562->3634 3564 4036ef 3565 4036f3 GetWindowsDirectoryW lstrcatW 3564->3565 3566 403749 DeleteFileW 3564->3566 3567 403474 12 API calls 3565->3567 3644 402f30 GetTickCount GetModuleFileNameW 3566->3644 3571 40370f 3567->3571 3568 405cea CharNextW 3568->3570 3570->3568 3578 4036c2 3570->3578 3579 4036c0 3570->3579 3571->3566 3573 403713 GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 3571->3573 3572 40375d 3574 403814 ExitProcess OleUninitialize 3572->3574 3580 403800 3572->3580 3586 405cea CharNextW 3572->3586 3577 403474 12 API calls 3573->3577 3575 40394a 3574->3575 3576 40382a 3574->3576 3582 403952 GetCurrentProcess OpenProcessToken 3575->3582 3583 4039ce ExitProcess 3575->3583 3734 405a4e 3576->3734 3584 403741 3577->3584 3731 4063e8 lstrcpynW 3578->3731 3579->3562 3674 403ad8 3580->3674 3590 40396a LookupPrivilegeValueW AdjustTokenPrivileges 3582->3590 3591 40399e 3582->3591 3584->3566 3584->3574 3597 40377c 3586->3597 3590->3591 3593 4067c2 5 API calls 3591->3593 3596 4039a5 3593->3596 3594 403840 3598 4059b9 5 API calls 3594->3598 3595 4037da 3599 405dc5 18 API calls 3595->3599 3600 4039ba ExitWindowsEx 3596->3600 3603 4039c7 3596->3603 3597->3594 3597->3595 3601 403845 lstrcatW 3598->3601 3602 4037e6 3599->3602 3600->3583 3600->3603 3604 403861 lstrcatW lstrcmpiW 3601->3604 3605 403856 lstrcatW 3601->3605 3602->3574 3732 4063e8 lstrcpynW 3602->3732 3743 40140b 3603->3743 3604->3574 3607 40387d 3604->3607 3605->3604 3609 403882 3607->3609 3610 403889 3607->3610 3612 40591f 4 API calls 3609->3612 3614 40599c 2 API calls 3610->3614 3611 4037f5 3733 4063e8 lstrcpynW 3611->3733 3615 403887 3612->3615 3616 40388e SetCurrentDirectoryW 3614->3616 3615->3616 3617 4038a9 3616->3617 3618 40389e 3616->3618 3739 4063e8 lstrcpynW 3617->3739 3738 4063e8 lstrcpynW 3618->3738 3621 40640a 17 API calls 3622 4038e8 DeleteFileW 3621->3622 3623 4038f5 CopyFileW 3622->3623 3629 4038b7 3622->3629 3623->3629 3624 40393e 3625 4061ae 36 API calls 3624->3625 3627 403945 3625->3627 3626 4061ae 36 API calls 3626->3629 3627->3574 3628 40640a 17 API calls 3628->3629 3629->3621 3629->3624 3629->3626 3629->3628 3631 403929 CloseHandle 3629->3631 3740 4059d1 CreateProcessW 3629->3740 3631->3629 3632->3557 3633->3559 3635 40667c 5 API calls 3634->3635 3636 403480 3635->3636 3637 40348a 3636->3637 3638 405cbd 3 API calls 3636->3638 3637->3564 3639 403492 3638->3639 3640 40599c 2 API calls 3639->3640 3641 403498 3640->3641 3746 405f0d 3641->3746 3750 405ede GetFileAttributesW CreateFileW 3644->3750 3646 402f73 3673 402f80 3646->3673 3751 4063e8 lstrcpynW 3646->3751 3648 402f96 3649 405d09 2 API calls 3648->3649 3650 402f9c 3649->3650 3752 4063e8 lstrcpynW 3650->3752 3652 402fa7 GetFileSize 3653 4030a8 3652->3653 3657 402fbe 3652->3657 3654 402e8e 32 API calls 3653->3654 3656 4030af 3654->3656 3655 403447 ReadFile 3655->3657 3659 4030eb GlobalAlloc 3656->3659 3656->3673 3754 40345d SetFilePointer 3656->3754 3657->3653 3657->3655 3658 403143 3657->3658 3665 402e8e 32 API calls 3657->3665 3657->3673 3662 402e8e 32 API calls 3658->3662 3661 403102 3659->3661 3666 405f0d 2 API calls 3661->3666 3662->3673 3663 4030cc 3664 403447 ReadFile 3663->3664 3668 4030d7 3664->3668 3665->3657 3667 403113 CreateFileW 3666->3667 3669 40314d 3667->3669 3667->3673 3668->3659 3668->3673 3753 40345d SetFilePointer 3669->3753 3671 40315b 3672 4031d6 44 API calls 3671->3672 3672->3673 3673->3572 3673->3673 3675 4067c2 5 API calls 3674->3675 3676 403aec 3675->3676 3677 403af2 3676->3677 3678 403b04 3676->3678 3763 40632f wsprintfW 3677->3763 3679 4062b6 3 API calls 3678->3679 3680 403b34 3679->3680 3682 403b53 lstrcatW 3680->3682 3684 4062b6 3 API calls 3680->3684 3683 403b02 3682->3683 3755 403dae 3683->3755 3684->3682 3687 405dc5 18 API calls 3688 403b85 3687->3688 3689 403c19 3688->3689 3691 4062b6 3 API calls 3688->3691 3690 405dc5 18 API calls 3689->3690 3692 403c1f 3690->3692 3693 403bb7 3691->3693 3694 403c2f LoadImageW 3692->3694 3695 40640a 17 API calls 3692->3695 3693->3689 3698 403bd8 lstrlenW 3693->3698 3702 405cea CharNextW 3693->3702 3696 403cd5 3694->3696 3697 403c56 RegisterClassW 3694->3697 3695->3694 3701 40140b 2 API calls 3696->3701 3699 403810 3697->3699 3700 403c8c SystemParametersInfoW CreateWindowExW 3697->3700 3703 403be6 lstrcmpiW 3698->3703 3704 403c0c 3698->3704 3699->3574 3700->3696 3705 403cdb 3701->3705 3707 403bd5 3702->3707 3703->3704 3708 403bf6 GetFileAttributesW 3703->3708 3706 405cbd 3 API calls 3704->3706 3705->3699 3709 403dae 18 API calls 3705->3709 3710 403c12 3706->3710 3707->3698 3711 403c02 3708->3711 3712 403cec 3709->3712 3764 4063e8 lstrcpynW 3710->3764 3711->3704 3714 405d09 2 API calls 3711->3714 3715 403cf8 ShowWindow 3712->3715 3716 403d7b 3712->3716 3714->3704 3717 406752 3 API calls 3715->3717 3765 405523 OleInitialize 3716->3765 3720 403d10 3717->3720 3719 403d81 3721 403d85 3719->3721 3722 403d9d 3719->3722 3723 403d1e GetClassInfoW 3720->3723 3725 406752 3 API calls 3720->3725 3721->3699 3728 40140b 2 API calls 3721->3728 3724 40140b 2 API calls 3722->3724 3726 403d32 GetClassInfoW RegisterClassW 3723->3726 3727 403d48 DialogBoxParamW 3723->3727 3724->3699 3725->3723 3726->3727 3729 40140b 2 API calls 3727->3729 3728->3699 3730 403d70 3729->3730 3730->3699 3731->3579 3732->3611 3733->3580 3735 405a63 3734->3735 3736 403838 ExitProcess 3735->3736 3737 405a77 MessageBoxIndirectW 3735->3737 3737->3736 3738->3617 3739->3629 3741 405a10 3740->3741 3742 405a04 CloseHandle 3740->3742 3741->3629 3742->3741 3744 401389 2 API calls 3743->3744 3745 401420 3744->3745 3745->3583 3747 405f1a GetTickCount GetTempFileNameW 3746->3747 3748 405f50 3747->3748 3749 4034a3 3747->3749 3748->3747 3748->3749 3749->3564 3750->3646 3751->3648 3752->3652 3753->3671 3754->3663 3756 403dc2 3755->3756 3772 40632f wsprintfW 3756->3772 3758 403e33 3773 403e67 3758->3773 3760 403b63 3760->3687 3761 403e38 3761->3760 3762 40640a 17 API calls 3761->3762 3762->3761 3763->3683 3764->3689 3776 4043ab 3765->3776 3767 405546 3771 40556d 3767->3771 3779 401389 3767->3779 3768 4043ab SendMessageW 3769 40557f OleUninitialize 3768->3769 3769->3719 3771->3768 3772->3758 3774 40640a 17 API calls 3773->3774 3775 403e75 SetWindowTextW 3774->3775 3775->3761 3777 4043c3 3776->3777 3778 4043b4 SendMessageW 3776->3778 3777->3767 3778->3777 3781 401390 3779->3781 3780 4013fe 3780->3767 3781->3780 3782 4013cb MulDiv SendMessageW 3781->3782 3782->3781 4701 404ba6 4702 404bd2 4701->4702 4703 404bb6 4701->4703 4705 404c05 4702->4705 4706 404bd8 SHGetPathFromIDListW 4702->4706 4712 405a32 GetDlgItemTextW 4703->4712 4708 404bef SendMessageW 4706->4708 4709 404be8 4706->4709 4707 404bc3 SendMessageW 4707->4702 4708->4705 4710 40140b 2 API calls 4709->4710 4710->4708 4712->4707 4727 4029a8 4728 402c1f 17 API calls 4727->4728 4729 4029ae 4728->4729 4730 4029d5 4729->4730 4731 4029ee 4729->4731 4735 40288b 4729->4735 4732 4029da 4730->4732 4740 4029eb 4730->4740 4733 402a08 4731->4733 4734 4029f8 4731->4734 4741 4063e8 lstrcpynW 4732->4741 4737 40640a 17 API calls 4733->4737 4736 402c1f 17 API calls 4734->4736 4736->4740 4737->4740 4740->4735 4742 40632f wsprintfW 4740->4742 4741->4735 4742->4735 3831 4028ad 3832 402c41 17 API calls 3831->3832 3833 4028bb 3832->3833 3834 4028d1 3833->3834 3836 402c41 17 API calls 3833->3836 3835 405eb9 2 API calls 3834->3835 3837 4028d7 3835->3837 3836->3834 3859 405ede GetFileAttributesW CreateFileW 3837->3859 3839 4028e4 3840 4028f0 GlobalAlloc 3839->3840 3841 402987 3839->3841 3842 402909 3840->3842 3843 40297e CloseHandle 3840->3843 3844 4029a2 3841->3844 3845 40298f DeleteFileW 3841->3845 3860 40345d SetFilePointer 3842->3860 3843->3841 3845->3844 3847 40290f 3848 403447 ReadFile 3847->3848 3849 402918 GlobalAlloc 3848->3849 3850 402928 3849->3850 3851 40295c 3849->3851 3853 4031d6 44 API calls 3850->3853 3852 405f90 WriteFile 3851->3852 3854 402968 GlobalFree 3852->3854 3858 402935 3853->3858 3855 4031d6 44 API calls 3854->3855 3857 40297b 3855->3857 3856 402953 GlobalFree 3856->3851 3857->3843 3858->3856 3859->3839 3860->3847 4750 401a30 4751 402c41 17 API calls 4750->4751 4752 401a39 ExpandEnvironmentStringsW 4751->4752 4753 401a60 4752->4753 4754 401a4d 4752->4754 4754->4753 4755 401a52 lstrcmpW 4754->4755 4755->4753 3931 402032 3932 402044 3931->3932 3933 4020f6 3931->3933 3934 402c41 17 API calls 3932->3934 3935 401423 24 API calls 3933->3935 3936 40204b 3934->3936 3942 402250 3935->3942 3937 402c41 17 API calls 3936->3937 3938 402054 3937->3938 3939 40206a LoadLibraryExW 3938->3939 3940 40205c GetModuleHandleW 3938->3940 3939->3933 3941 40207b 3939->3941 3940->3939 3940->3941 3951 406831 WideCharToMultiByte 3941->3951 3945 4020c5 3947 405450 24 API calls 3945->3947 3946 40208c 3948 401423 24 API calls 3946->3948 3949 40209c 3946->3949 3947->3949 3948->3949 3949->3942 3950 4020e8 FreeLibrary 3949->3950 3950->3942 3952 40685b GetProcAddress 3951->3952 3953 402086 3951->3953 3952->3953 3953->3945 3953->3946 4761 401735 4762 402c41 17 API calls 4761->4762 4763 40173c SearchPathW 4762->4763 4764 401757 4763->4764 4765 402a35 4766 402c1f 17 API calls 4765->4766 4767 402a3b 4766->4767 4768 402a72 4767->4768 4770 40288b 4767->4770 4771 402a4d 4767->4771 4769 40640a 17 API calls 4768->4769 4768->4770 4769->4770 4771->4770 4773 40632f wsprintfW 4771->4773 4773->4770 4774 4014b8 4775 4014be 4774->4775 4776 401389 2 API calls 4775->4776 4777 4014c6 4776->4777 4778 401db9 GetDC 4779 402c1f 17 API calls 4778->4779 4780 401dcb GetDeviceCaps MulDiv ReleaseDC 4779->4780 4781 402c1f 17 API calls 4780->4781 4782 401dfc 4781->4782 4783 40640a 17 API calls 4782->4783 4784 401e39 CreateFontIndirectW 4783->4784 4785 402592 4784->4785 4786 40283b 4787 402843 4786->4787 4788 402847 FindNextFileW 4787->4788 4791 402859 4787->4791 4789 4028a0 4788->4789 4788->4791 4792 4063e8 lstrcpynW 4789->4792 4792->4791

                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                          Function 004034A5 Relevance: 89.7, APIs: 33, Strings: 18, Instructions: 410stringfilecomCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 0 4034a5-4034e2 SetErrorMode GetVersion 1 4034e4-4034ec call 4067c2 0->1 2 4034f5 0->2 1->2 8 4034ee 1->8 4 4034fa-40350e call 406752 lstrlenA 2->4 9 403510-40352c call 4067c2 * 3 4->9 8->2 16 40353d-40359c #17 OleInitialize SHGetFileInfoW call 4063e8 GetCommandLineW call 4063e8 9->16 17 40352e-403534 9->17 24 4035a6-4035c0 call 405cea CharNextW 16->24 25 40359e-4035a5 16->25 17->16 21 403536 17->21 21->16 28 4035c6-4035cc 24->28 29 4036d7-4036f1 GetTempPathW call 403474 24->29 25->24 30 4035d5-4035d9 28->30 31 4035ce-4035d3 28->31 36 4036f3-403711 GetWindowsDirectoryW lstrcatW call 403474 29->36 37 403749-403763 DeleteFileW call 402f30 29->37 34 4035e0-4035e4 30->34 35 4035db-4035df 30->35 31->30 31->31 38 4036a3-4036b0 call 405cea 34->38 39 4035ea-4035f0 34->39 35->34 36->37 53 403713-403743 GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 403474 36->53 57 403814-403824 ExitProcess OleUninitialize 37->57 58 403769-40376f 37->58 55 4036b2-4036b3 38->55 56 4036b4-4036ba 38->56 43 4035f2-4035fa 39->43 44 40360b-403644 39->44 48 403601 43->48 49 4035fc-4035ff 43->49 50 403661-40369b 44->50 51 403646-40364b 44->51 48->44 49->44 49->48 50->38 54 40369d-4036a1 50->54 51->50 52 40364d-403655 51->52 61 403657-40365a 52->61 62 40365c 52->62 53->37 53->57 54->38 64 4036c2-4036d0 call 4063e8 54->64 55->56 56->28 65 4036c0 56->65 59 40394a-403950 57->59 60 40382a-40383a call 405a4e ExitProcess 57->60 66 403804-40380b call 403ad8 58->66 67 403775-403780 call 405cea 58->67 69 403952-403968 GetCurrentProcess OpenProcessToken 59->69 70 4039ce-4039d6 59->70 61->50 61->62 62->50 72 4036d5 64->72 65->72 82 403810 66->82 84 403782-4037b7 67->84 85 4037ce-4037d8 67->85 79 40396a-403998 LookupPrivilegeValueW AdjustTokenPrivileges 69->79 80 40399e-4039ac call 4067c2 69->80 76 4039d8 70->76 77 4039dc-4039e0 ExitProcess 70->77 72->29 76->77 79->80 94 4039ba-4039c5 ExitWindowsEx 80->94 95 4039ae-4039b8 80->95 82->57 89 4037b9-4037bd 84->89 86 403840-403854 call 4059b9 lstrcatW 85->86 87 4037da-4037e8 call 405dc5 85->87 100 403861-40387b lstrcatW lstrcmpiW 86->100 101 403856-40385c lstrcatW 86->101 87->57 102 4037ea-403800 call 4063e8 * 2 87->102 90 4037c6-4037ca 89->90 91 4037bf-4037c4 89->91 90->89 96 4037cc 90->96 91->90 91->96 94->70 99 4039c7-4039c9 call 40140b 94->99 95->94 95->99 96->85 99->70 100->57 105 40387d-403880 100->105 101->100 102->66 107 403882-403887 call 40591f 105->107 108 403889 call 40599c 105->108 115 40388e-40389c SetCurrentDirectoryW 107->115 108->115 116 4038a9-4038d2 call 4063e8 115->116 117 40389e-4038a4 call 4063e8 115->117 121 4038d7-4038f3 call 40640a DeleteFileW 116->121 117->116 124 403934-40393c 121->124 125 4038f5-403905 CopyFileW 121->125 124->121 126 40393e-403945 call 4061ae 124->126 125->124 127 403907-403927 call 4061ae call 40640a call 4059d1 125->127 126->57 127->124 136 403929-403930 CloseHandle 127->136 136->124
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • SetErrorMode.KERNELBASE ref: 004034C8
                                                                                                                                                                                                                                          • GetVersion.KERNEL32 ref: 004034CE
                                                                                                                                                                                                                                          • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403501
                                                                                                                                                                                                                                          • #17.COMCTL32(?,00000006,00000008,0000000A), ref: 0040353E
                                                                                                                                                                                                                                          • OleInitialize.OLE32(00000000), ref: 00403545
                                                                                                                                                                                                                                          • SHGetFileInfoW.SHELL32(004216E8,00000000,?,000002B4,00000000), ref: 00403561
                                                                                                                                                                                                                                          • GetCommandLineW.KERNEL32(00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 00403576
                                                                                                                                                                                                                                          • CharNextW.USER32(00000000,"C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe" /S,00000020,"C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe" /S,00000000,?,00000006,00000008,0000000A), ref: 004035AE
                                                                                                                                                                                                                                            • Part of subcall function 004067C2: GetModuleHandleA.KERNEL32(?,00000020,?,00403517,0000000A), ref: 004067D4
                                                                                                                                                                                                                                            • Part of subcall function 004067C2: GetProcAddress.KERNEL32(00000000,?), ref: 004067EF
                                                                                                                                                                                                                                          • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 004036E8
                                                                                                                                                                                                                                          • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 004036F9
                                                                                                                                                                                                                                          • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403705
                                                                                                                                                                                                                                          • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 00403719
                                                                                                                                                                                                                                          • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 00403721
                                                                                                                                                                                                                                          • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 00403732
                                                                                                                                                                                                                                          • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 0040373A
                                                                                                                                                                                                                                          • DeleteFileW.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 0040374E
                                                                                                                                                                                                                                            • Part of subcall function 004063E8: lstrcpynW.KERNEL32(?,?,00000400,00403576,00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 004063F5
                                                                                                                                                                                                                                          • ExitProcess.KERNEL32(00000006,?,00000006,00000008,0000000A), ref: 00403814
                                                                                                                                                                                                                                          • OleUninitialize.OLE32(00000006,?,00000006,00000008,0000000A), ref: 00403819
                                                                                                                                                                                                                                          • ExitProcess.KERNEL32 ref: 0040383A
                                                                                                                                                                                                                                          • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 0040384D
                                                                                                                                                                                                                                          • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A328), ref: 0040385C
                                                                                                                                                                                                                                          • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 00403867
                                                                                                                                                                                                                                          • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe" /S,00000000,00000006,?,00000006,00000008,0000000A), ref: 00403873
                                                                                                                                                                                                                                          • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 0040388F
                                                                                                                                                                                                                                          • DeleteFileW.KERNEL32(00420EE8,00420EE8,?,0042B000,00000008,?,00000006,00000008,0000000A), ref: 004038E9
                                                                                                                                                                                                                                          • CopyFileW.KERNEL32(C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe,00420EE8,00000001,?,00000006,00000008,0000000A), ref: 004038FD
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000,00420EE8,00420EE8,?,00420EE8,00000000,?,00000006,00000008,0000000A), ref: 0040392A
                                                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(00000028,0000000A,00000006,00000008,0000000A), ref: 00403959
                                                                                                                                                                                                                                          • OpenProcessToken.ADVAPI32(00000000), ref: 00403960
                                                                                                                                                                                                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403975
                                                                                                                                                                                                                                          • AdjustTokenPrivileges.ADVAPI32 ref: 00403998
                                                                                                                                                                                                                                          • ExitWindowsEx.USER32(00000002,80040002), ref: 004039BD
                                                                                                                                                                                                                                          • ExitProcess.KERNEL32 ref: 004039E0
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Processlstrcat$ExitFile$CurrentDeleteDirectoryEnvironmentHandlePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeModuleNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
                                                                                                                                                                                                                                          • String ID: "C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe" /S$.tmp$1033$C:\Program Files\BitComet$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp$C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe$C:\Users\user\AppData\Local\Temp\nsj3575.tmp$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                                                                                                                                                                                                                          • API String ID: 424501083-3599969861
                                                                                                                                                                                                                                          • Opcode ID: 7747744a0c61db5a6003fa52f6a5a01c2ea0b04c35aa2de3c18c65830cbca02b
                                                                                                                                                                                                                                          • Instruction ID: dafc1af32610b20ef8647c0cf6a3faef20d76686829591872cbc6ab955e55f97
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7747744a0c61db5a6003fa52f6a5a01c2ea0b04c35aa2de3c18c65830cbca02b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4DD1F571600310ABE7206F759D49A3B3AECEB4070AF50443FF981B62D2DB7D8956876E
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00405AFA Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148filestringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 282 405afa-405b20 call 405dc5 285 405b22-405b34 DeleteFileW 282->285 286 405b39-405b40 282->286 289 405cb6-405cba 285->289 287 405b42-405b44 286->287 288 405b53-405b63 call 4063e8 286->288 290 405c64-405c69 287->290 291 405b4a-405b4d 287->291 295 405b72-405b73 call 405d09 288->295 296 405b65-405b70 lstrcatW 288->296 290->289 294 405c6b-405c6e 290->294 291->288 291->290 297 405c70-405c76 294->297 298 405c78-405c80 call 40672b 294->298 299 405b78-405b7c 295->299 296->299 297->289 298->289 306 405c82-405c96 call 405cbd call 405ab2 298->306 302 405b88-405b8e lstrcatW 299->302 303 405b7e-405b86 299->303 305 405b93-405baf lstrlenW FindFirstFileW 302->305 303->302 303->305 307 405bb5-405bbd 305->307 308 405c59-405c5d 305->308 322 405c98-405c9b 306->322 323 405cae-405cb1 call 405450 306->323 311 405bdd-405bf1 call 4063e8 307->311 312 405bbf-405bc7 307->312 308->290 310 405c5f 308->310 310->290 324 405bf3-405bfb 311->324 325 405c08-405c13 call 405ab2 311->325 316 405bc9-405bd1 312->316 317 405c3c-405c4c FindNextFileW 312->317 316->311 321 405bd3-405bdb 316->321 317->307 320 405c52-405c53 FindClose 317->320 320->308 321->311 321->317 322->297 326 405c9d-405cac call 405450 call 4061ae 322->326 323->289 324->317 327 405bfd-405c06 call 405afa 324->327 335 405c34-405c37 call 405450 325->335 336 405c15-405c18 325->336 326->289 327->317 335->317 339 405c1a-405c2a call 405450 call 4061ae 336->339 340 405c2c-405c32 336->340 339->317 340->317
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • DeleteFileW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,76232EE0,00000000), ref: 00405B23
                                                                                                                                                                                                                                          • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsj3575.tmp\*.*,\*.*), ref: 00405B6B
                                                                                                                                                                                                                                          • lstrcatW.KERNEL32(?,0040A014), ref: 00405B8E
                                                                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsj3575.tmp\*.*,?,?,C:\Users\user\AppData\Local\Temp\,76232EE0,00000000), ref: 00405B94
                                                                                                                                                                                                                                          • FindFirstFileW.KERNELBASE(C:\Users\user\AppData\Local\Temp\nsj3575.tmp\*.*,?,?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsj3575.tmp\*.*,?,?,C:\Users\user\AppData\Local\Temp\,76232EE0,00000000), ref: 00405BA4
                                                                                                                                                                                                                                          • FindNextFileW.KERNELBASE(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405C44
                                                                                                                                                                                                                                          • FindClose.KERNEL32(00000000), ref: 00405C53
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                                                                                                                                                                          • String ID: "C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe" /S$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsj3575.tmp\*.*$\*.*
                                                                                                                                                                                                                                          • API String ID: 2035342205-237230371
                                                                                                                                                                                                                                          • Opcode ID: 94aee6277fb60bc187ec105b0c3c889327325094ff3d5538513028a918914a00
                                                                                                                                                                                                                                          • Instruction ID: 490a569b50011677cd34e026f6ab1003dec3a9533e419df12a6715eb2ed0bc70
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 94aee6277fb60bc187ec105b0c3c889327325094ff3d5538513028a918914a00
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0541BF30805B18A6EB31AB618D89BAF7678EF41718F10817BF801711D2D77C59C29EAE
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00406AF2 Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 582 406af2-406af7 583 406b68-406b86 582->583 584 406af9-406b28 582->584 587 40715e-407173 583->587 585 406b2a-406b2d 584->585 586 406b2f-406b33 584->586 590 406b3f-406b42 585->590 591 406b35-406b39 586->591 592 406b3b 586->592 588 407175-40718b 587->588 589 40718d-4071a3 587->589 593 4071a6-4071ad 588->593 589->593 594 406b60-406b63 590->594 595 406b44-406b4d 590->595 591->590 592->590 596 4071d4-4071e0 593->596 597 4071af-4071b3 593->597 600 406d35-406d53 594->600 598 406b52-406b5e 595->598 599 406b4f 595->599 610 406976-40697f 596->610 603 407362-40736c 597->603 604 4071b9-4071d1 597->604 606 406bc8-406bf6 598->606 599->598 601 406d55-406d69 600->601 602 406d6b-406d7d 600->602 609 406d80-406d8a 601->609 602->609 611 407378-40738b 603->611 604->596 607 406c12-406c2c 606->607 608 406bf8-406c10 606->608 613 406c2f-406c39 607->613 608->613 614 406d8c 609->614 615 406d2d-406d33 609->615 616 406985 610->616 617 40738d 610->617 612 407390-407394 611->612 619 406bb0-406bb6 613->619 620 406c3f 613->620 621 406d08-406d0c 614->621 622 406e9d-406eaa 614->622 615->600 618 406cd1-406cdb 615->618 623 406a31-406a35 616->623 624 406aa1-406aa5 616->624 625 40698c-406990 616->625 626 406acc-406aed 616->626 617->612 629 407320-40732a 618->629 630 406ce1-406d03 618->630 631 406c69-406c6f 619->631 632 406bbc-406bc2 619->632 639 406b95-406bad 620->639 640 4072fc-407306 620->640 633 406d12-406d2a 621->633 634 407314-40731e 621->634 622->610 636 4072e1-4072eb 623->636 637 406a3b-406a54 623->637 627 4072f0-4072fa 624->627 628 406aab-406abf 624->628 625->611 638 406996-4069a3 625->638 626->587 627->611 642 406ac2-406aca 628->642 629->611 630->622 643 406ccd 631->643 645 406c71-406c8f 631->645 632->606 632->643 633->615 634->611 636->611 644 406a57-406a5b 637->644 638->617 641 4069a9-4069ef 638->641 639->619 640->611 646 4069f1-4069f5 641->646 647 406a17-406a19 641->647 642->624 642->626 643->618 644->623 648 406a5d-406a63 644->648 649 406c91-406ca5 645->649 650 406ca7-406cb9 645->650 651 406a00-406a0e GlobalAlloc 646->651 652 4069f7-4069fa GlobalFree 646->652 653 406a27-406a2f 647->653 654 406a1b-406a25 647->654 655 406a65-406a6c 648->655 656 406a8d-406a9f 648->656 657 406cbc-406cc6 649->657 650->657 651->617 658 406a14 651->658 652->651 653->644 654->653 654->654 659 406a77-406a87 GlobalAlloc 655->659 660 406a6e-406a71 GlobalFree 655->660 656->642 657->631 661 406cc8 657->661 658->647 659->617 659->656 660->659 663 407308-407312 661->663 664 406c4e-406c66 661->664 663->611 664->631
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 35cbb8abcdf375330cdaaed117d7ae66e2d52f36901990e867650d9b3411c4d0
                                                                                                                                                                                                                                          • Instruction ID: 8a3521d6a9ab1c5b5eb45e3d7957e6eefdd785676f1866d9874d60d9aff9e69c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 35cbb8abcdf375330cdaaed117d7ae66e2d52f36901990e867650d9b3411c4d0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1CF16770D04229CBDF18CFA8C8946ADBBB0FF45305F25816ED856BB281D7386A86DF45
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0040672B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • FindFirstFileW.KERNELBASE(?,00426778,00425F30,00405E0E,00425F30,00425F30,00000000,00425F30,00425F30,?,?,76232EE0,00405B1A,?,C:\Users\user\AppData\Local\Temp\,76232EE0), ref: 00406736
                                                                                                                                                                                                                                          • FindClose.KERNEL32(00000000), ref: 00406742
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Find$CloseFileFirst
                                                                                                                                                                                                                                          • String ID: xgB
                                                                                                                                                                                                                                          • API String ID: 2295610775-399326502
                                                                                                                                                                                                                                          • Opcode ID: 8f8798618dbeb96281b7e152f222c6bef4cfc1fb78c0b92afc6d3f182eb863fd
                                                                                                                                                                                                                                          • Instruction ID: 964bfaba6fe47efa91ae3b9d04416f3a0311ddb8c2b0a677c8b566ff70b98767
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8f8798618dbeb96281b7e152f222c6bef4cfc1fb78c0b92afc6d3f182eb863fd
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 08D012315150205BC2011738BD4C85B7A589F553357228B37B866F61E0C7348C62869C
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00402104 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • CoCreateInstance.OLE32(004084DC,?,00000001,004084CC,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402183
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • C:\Users\user\AppData\Local\Temp\nsj3575.tmp, xrefs: 004021C3
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CreateInstance
                                                                                                                                                                                                                                          • String ID: C:\Users\user\AppData\Local\Temp\nsj3575.tmp
                                                                                                                                                                                                                                          • API String ID: 542301482-363374086
                                                                                                                                                                                                                                          • Opcode ID: 4f2286ed38648dcc2c47485c3b8c03fd85972866aeeba554557880fa94d5da5d
                                                                                                                                                                                                                                          • Instruction ID: e2e3704c815c40c35bbcee670b9089186c45407539ca1009a8039cbe375c7a13
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4f2286ed38648dcc2c47485c3b8c03fd85972866aeeba554557880fa94d5da5d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 03414A71A00208AFCF04DFE4C988A9D7BB5FF48314B24457AF915EB2E0DBB99981CB54
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00403AD8 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215stringregistryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 137 403ad8-403af0 call 4067c2 140 403af2-403b02 call 40632f 137->140 141 403b04-403b3b call 4062b6 137->141 150 403b5e-403b87 call 403dae call 405dc5 140->150 146 403b53-403b59 lstrcatW 141->146 147 403b3d-403b4e call 4062b6 141->147 146->150 147->146 155 403c19-403c21 call 405dc5 150->155 156 403b8d-403b92 150->156 162 403c23-403c2a call 40640a 155->162 163 403c2f-403c54 LoadImageW 155->163 156->155 157 403b98-403bc0 call 4062b6 156->157 157->155 164 403bc2-403bc6 157->164 162->163 166 403cd5-403cdd call 40140b 163->166 167 403c56-403c86 RegisterClassW 163->167 168 403bd8-403be4 lstrlenW 164->168 169 403bc8-403bd5 call 405cea 164->169 181 403ce7-403cf2 call 403dae 166->181 182 403cdf-403ce2 166->182 170 403da4 167->170 171 403c8c-403cd0 SystemParametersInfoW CreateWindowExW 167->171 175 403be6-403bf4 lstrcmpiW 168->175 176 403c0c-403c14 call 405cbd call 4063e8 168->176 169->168 174 403da6-403dad 170->174 171->166 175->176 180 403bf6-403c00 GetFileAttributesW 175->180 176->155 185 403c02-403c04 180->185 186 403c06-403c07 call 405d09 180->186 190 403cf8-403d12 ShowWindow call 406752 181->190 191 403d7b-403d83 call 405523 181->191 182->174 185->176 185->186 186->176 198 403d14-403d19 call 406752 190->198 199 403d1e-403d30 GetClassInfoW 190->199 196 403d85-403d8b 191->196 197 403d9d-403d9f call 40140b 191->197 196->182 200 403d91-403d98 call 40140b 196->200 197->170 198->199 203 403d32-403d42 GetClassInfoW RegisterClassW 199->203 204 403d48-403d79 DialogBoxParamW call 40140b call 403a28 199->204 200->182 203->204 204->174
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 004067C2: GetModuleHandleA.KERNEL32(?,00000020,?,00403517,0000000A), ref: 004067D4
                                                                                                                                                                                                                                            • Part of subcall function 004067C2: GetProcAddress.KERNEL32(00000000,?), ref: 004067EF
                                                                                                                                                                                                                                          • lstrcatW.KERNEL32(1033,00423728), ref: 00403B59
                                                                                                                                                                                                                                          • lstrlenW.KERNEL32("C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exe" https://www.bitcomet.com/client/install-stats/?l=en_us&file=,?,?,?,"C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exe" https://www.bitcomet.com/client/install-stats/?l=en_us&file=,00000000,C:\Program Files\BitComet,1033,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000,00000002,C:\Users\user\AppData\Local\Temp\), ref: 00403BD9
                                                                                                                                                                                                                                          • lstrcmpiW.KERNEL32(?,.exe,"C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exe" https://www.bitcomet.com/client/install-stats/?l=en_us&file=,?,?,?,"C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exe" https://www.bitcomet.com/client/install-stats/?l=en_us&file=,00000000,C:\Program Files\BitComet,1033,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000), ref: 00403BEC
                                                                                                                                                                                                                                          • GetFileAttributesW.KERNEL32("C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exe" https://www.bitcomet.com/client/install-stats/?l=en_us&file=), ref: 00403BF7
                                                                                                                                                                                                                                          • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Program Files\BitComet), ref: 00403C40
                                                                                                                                                                                                                                            • Part of subcall function 0040632F: wsprintfW.USER32 ref: 0040633C
                                                                                                                                                                                                                                          • RegisterClassW.USER32(004291E0), ref: 00403C7D
                                                                                                                                                                                                                                          • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403C95
                                                                                                                                                                                                                                          • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403CCA
                                                                                                                                                                                                                                          • ShowWindow.USER32(00000005,00000000), ref: 00403D00
                                                                                                                                                                                                                                          • GetClassInfoW.USER32(00000000,RichEdit20W,004291E0), ref: 00403D2C
                                                                                                                                                                                                                                          • GetClassInfoW.USER32(00000000,RichEdit,004291E0), ref: 00403D39
                                                                                                                                                                                                                                          • RegisterClassW.USER32(004291E0), ref: 00403D42
                                                                                                                                                                                                                                          • DialogBoxParamW.USER32(?,00000000,00403E86,00000000), ref: 00403D61
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                                                                                                                          • String ID: "C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe" /S$"C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exe" https://www.bitcomet.com/client/install-stats/?l=en_us&file=$(7B$.DEFAULT\Control Panel\International$.exe$1033$C:\Program Files\BitComet$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                                                                                                                                                                                                                          • API String ID: 1975747703-2064987501
                                                                                                                                                                                                                                          • Opcode ID: e176ff3262b2d1e72d3b52b43e3223aecab7214ec1d4ef21ed1b613fd77ea834
                                                                                                                                                                                                                                          • Instruction ID: d9d584b045f25ca5441dadad30e0f8e7905dec5efd4dcfd01c713d0f2754c543
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e176ff3262b2d1e72d3b52b43e3223aecab7214ec1d4ef21ed1b613fd77ea834
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6761C470204601BBE320AF669E45F2B3A7CEB84749F40447FF945B62E2DB7D9912C62D
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00402F30 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203memoryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 211 402f30-402f7e GetTickCount GetModuleFileNameW call 405ede 214 402f80-402f85 211->214 215 402f8a-402fb8 call 4063e8 call 405d09 call 4063e8 GetFileSize 211->215 216 4031cf-4031d3 214->216 223 4030a8-4030b6 call 402e8e 215->223 224 402fbe-402fd5 215->224 231 403187-40318c 223->231 232 4030bc-4030bf 223->232 225 402fd7 224->225 226 402fd9-402fe6 call 403447 224->226 225->226 233 403143-40314b call 402e8e 226->233 234 402fec-402ff2 226->234 231->216 235 4030c1-4030d9 call 40345d call 403447 232->235 236 4030eb-403137 GlobalAlloc call 406923 call 405f0d CreateFileW 232->236 233->231 238 403072-403076 234->238 239 402ff4-40300c call 405e99 234->239 235->231 259 4030df-4030e5 235->259 262 403139-40313e 236->262 263 40314d-40317d call 40345d call 4031d6 236->263 243 403078-40307e call 402e8e 238->243 244 40307f-403085 238->244 239->244 257 40300e-403015 239->257 243->244 250 403087-403095 call 4068b5 244->250 251 403098-4030a2 244->251 250->251 251->223 251->224 257->244 261 403017-40301e 257->261 259->231 259->236 261->244 264 403020-403027 261->264 262->216 270 403182-403185 263->270 264->244 267 403029-403030 264->267 267->244 269 403032-403052 267->269 269->231 271 403058-40305c 269->271 270->231 272 40318e-40319f 270->272 273 403064-40306c 271->273 274 40305e-403062 271->274 276 4031a1 272->276 277 4031a7-4031ac 272->277 273->244 275 40306e-403070 273->275 274->223 274->273 275->244 276->277 278 4031ad-4031b3 277->278 278->278 279 4031b5-4031cd call 405e99 278->279 279->216
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetTickCount.KERNEL32 ref: 00402F44
                                                                                                                                                                                                                                          • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe,00000400), ref: 00402F60
                                                                                                                                                                                                                                            • Part of subcall function 00405EDE: GetFileAttributesW.KERNELBASE(00000003,00402F73,C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe,80000000,00000003), ref: 00405EE2
                                                                                                                                                                                                                                            • Part of subcall function 00405EDE: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F04
                                                                                                                                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp,C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp,C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe,C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe,80000000,00000003), ref: 00402FA9
                                                                                                                                                                                                                                          • GlobalAlloc.KERNELBASE(00000040,0040A230), ref: 004030F0
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp, xrefs: 00402F8B, 00402F90, 00402F96
                                                                                                                                                                                                                                          • "C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe" /S, xrefs: 00402F30
                                                                                                                                                                                                                                          • Error launching installer, xrefs: 00402F80
                                                                                                                                                                                                                                          • Inst, xrefs: 00403017
                                                                                                                                                                                                                                          • Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403139
                                                                                                                                                                                                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00402F3D, 00403108
                                                                                                                                                                                                                                          • soft, xrefs: 00403020
                                                                                                                                                                                                                                          • Null, xrefs: 00403029
                                                                                                                                                                                                                                          • C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe, xrefs: 00402F4A, 00402F59, 00402F6D, 00402F8A
                                                                                                                                                                                                                                          • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403187
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                                                                                                                                                                                                          • String ID: "C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe" /S$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp$C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                                                                                                                                                                                                          • API String ID: 2803837635-3295479551
                                                                                                                                                                                                                                          • Opcode ID: 490de38a05f78149d95239c3b0bd3a7f561c34765625de5f0c140c9d0421700e
                                                                                                                                                                                                                                          • Instruction ID: fab51a6d61a7302470dd91ad27108f0c0be819ae48098b15a947b51e22d3bd00
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 490de38a05f78149d95239c3b0bd3a7f561c34765625de5f0c140c9d0421700e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4961D271A00205ABDB20DFA4DD45A9A7BA8EB04356F20413FF904F62D1DB7C9A458BAD
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0040640A Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 209stringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 346 40640a-406415 347 406417-406426 346->347 348 406428-40643e 346->348 347->348 349 406444-406451 348->349 350 406656-40665c 348->350 349->350 351 406457-40645e 349->351 352 406662-40666d 350->352 353 406463-406470 350->353 351->350 355 406678-406679 352->355 356 40666f-406673 call 4063e8 352->356 353->352 354 406476-406482 353->354 357 406643 354->357 358 406488-4064c6 354->358 356->355 362 406651-406654 357->362 363 406645-40664f 357->363 360 4065e6-4065ea 358->360 361 4064cc-4064d7 358->361 366 4065ec-4065f2 360->366 367 40661d-406621 360->367 364 4064f0 361->364 365 4064d9-4064de 361->365 362->350 363->350 373 4064f7-4064fe 364->373 365->364 370 4064e0-4064e3 365->370 371 406602-40660e call 4063e8 366->371 372 4065f4-406600 call 40632f 366->372 368 406630-406641 lstrlenW 367->368 369 406623-40662b call 40640a 367->369 368->350 369->368 370->364 375 4064e5-4064e8 370->375 384 406613-406619 371->384 372->384 377 406500-406502 373->377 378 406503-406505 373->378 375->364 380 4064ea-4064ee 375->380 377->378 382 406540-406543 378->382 383 406507-406525 call 4062b6 378->383 380->373 386 406553-406556 382->386 387 406545-406551 GetSystemDirectoryW 382->387 389 40652a-40652e 383->389 384->368 385 40661b 384->385 390 4065de-4065e4 call 40667c 385->390 392 4065c1-4065c3 386->392 393 406558-406566 GetWindowsDirectoryW 386->393 391 4065c5-4065c9 387->391 394 406534-40653b call 40640a 389->394 395 4065ce-4065d1 389->395 390->368 391->390 397 4065cb 391->397 392->391 396 406568-406572 392->396 393->392 394->391 395->390 400 4065d3-4065d9 lstrcatW 395->400 402 406574-406577 396->402 403 40658c-4065a2 SHGetSpecialFolderLocation 396->403 397->395 400->390 402->403 405 406579-406580 402->405 406 4065a4-4065bb SHGetPathFromIDListW CoTaskMemFree 403->406 407 4065bd 403->407 408 406588-40658a 405->408 406->391 406->407 407->392 408->391 408->403
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetSystemDirectoryW.KERNEL32("C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exe" https://www.bitcomet.com/client/install-stats/?l=en_us&file=,00000400), ref: 0040654B
                                                                                                                                                                                                                                          • GetWindowsDirectoryW.KERNEL32("C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exe" https://www.bitcomet.com/client/install-stats/?l=en_us&file=,00000400,00000000,00422708,?,00405487,00422708,00000000), ref: 0040655E
                                                                                                                                                                                                                                          • SHGetSpecialFolderLocation.SHELL32(00405487,00000000,00000000,00422708,?,00405487,00422708,00000000), ref: 0040659A
                                                                                                                                                                                                                                          • SHGetPathFromIDListW.SHELL32(00000000,"C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exe" https://www.bitcomet.com/client/install-stats/?l=en_us&file=), ref: 004065A8
                                                                                                                                                                                                                                          • CoTaskMemFree.OLE32(00000000), ref: 004065B3
                                                                                                                                                                                                                                          • lstrcatW.KERNEL32("C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exe" https://www.bitcomet.com/client/install-stats/?l=en_us&file=,\Microsoft\Internet Explorer\Quick Launch), ref: 004065D9
                                                                                                                                                                                                                                          • lstrlenW.KERNEL32("C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exe" https://www.bitcomet.com/client/install-stats/?l=en_us&file=,00000000,00422708,?,00405487,00422708,00000000), ref: 00406631
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
                                                                                                                                                                                                                                          • String ID: "C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exe" https://www.bitcomet.com/client/install-stats/?l=en_us&file=$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                                                                                                                                                                                          • API String ID: 717251189-3764307381
                                                                                                                                                                                                                                          • Opcode ID: a2b01db3f60f7f954ff39a6d01daadad3aad0d9bd747aef2f55d2b9b332750a0
                                                                                                                                                                                                                                          • Instruction ID: cc84c68a284476d24e00a3f01d451b35d35df0cd5868c7a223589be4a576710b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a2b01db3f60f7f954ff39a6d01daadad3aad0d9bd747aef2f55d2b9b332750a0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C7612371A00111ABDF209F64DD41AAE37A5AF50314F62813FE903B62D0E73E9AA2C75D
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0040176F Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145stringtimeCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 409 40176f-401794 call 402c41 call 405d34 414 401796-40179c call 4063e8 409->414 415 40179e-4017b0 call 4063e8 call 405cbd lstrcatW 409->415 420 4017b5-4017b6 call 40667c 414->420 415->420 424 4017bb-4017bf 420->424 425 4017c1-4017cb call 40672b 424->425 426 4017f2-4017f5 424->426 434 4017dd-4017ef 425->434 435 4017cd-4017db CompareFileTime 425->435 427 4017f7-4017f8 call 405eb9 426->427 428 4017fd-401819 call 405ede 426->428 427->428 436 40181b-40181e 428->436 437 40188d-4018b6 call 405450 call 4031d6 428->437 434->426 435->434 438 401820-40185e call 4063e8 * 2 call 40640a call 4063e8 call 405a4e 436->438 439 40186f-401879 call 405450 436->439 451 4018b8-4018bc 437->451 452 4018be-4018ca SetFileTime 437->452 438->424 471 401864-401865 438->471 449 401882-401888 439->449 454 402ace 449->454 451->452 453 4018d0-4018db FindCloseChangeNotification 451->453 452->453 456 4018e1-4018e4 453->456 457 402ac5-402ac8 453->457 459 402ad0-402ad4 454->459 460 4018e6-4018f7 call 40640a lstrcatW 456->460 461 4018f9-4018fc call 40640a 456->461 457->454 468 401901-4022fc call 405a4e 460->468 461->468 468->457 468->459 471->449 473 401867-401868 471->473 473->439
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • lstrcatW.KERNEL32(00000000,00000000), ref: 004017B0
                                                                                                                                                                                                                                          • CompareFileTime.KERNEL32(-00000014,?,"C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exe" https://www.bitcomet.com/client/install-stats/?l=en_us&file=,"C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exe" https://www.bitcomet.com/client/install-stats/?l=en_us&file=,00000000,00000000,"C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exe" https://www.bitcomet.com/client/install-stats/?l=en_us&file=,C:\Users\user\AppData\Local\Temp\nsj3575.tmp,?,?,00000031), ref: 004017D5
                                                                                                                                                                                                                                            • Part of subcall function 004063E8: lstrcpynW.KERNEL32(?,?,00000400,00403576,00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 004063F5
                                                                                                                                                                                                                                            • Part of subcall function 00405450: lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000,?), ref: 00405488
                                                                                                                                                                                                                                            • Part of subcall function 00405450: lstrlenW.KERNEL32(00402F08,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000), ref: 00405498
                                                                                                                                                                                                                                            • Part of subcall function 00405450: lstrcatW.KERNEL32(00422708,00402F08), ref: 004054AB
                                                                                                                                                                                                                                            • Part of subcall function 00405450: SetWindowTextW.USER32(00422708,00422708), ref: 004054BD
                                                                                                                                                                                                                                            • Part of subcall function 00405450: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E3
                                                                                                                                                                                                                                            • Part of subcall function 00405450: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054FD
                                                                                                                                                                                                                                            • Part of subcall function 00405450: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040550B
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                                                                                                                                                                                          • String ID: "C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exe" https://www.bitcomet.com/client/install-stats/?l=en_us&file=$C:\Users\user\AppData\Local\Temp\nsj3575.tmp$C:\Users\user\AppData\Local\Temp\nsj3575.tmp
                                                                                                                                                                                                                                          • API String ID: 1941528284-2273061027
                                                                                                                                                                                                                                          • Opcode ID: 9a5bc51b054fa3d2054b83f25f7423f08ec573233d163a5f5bb8c9366ee8d440
                                                                                                                                                                                                                                          • Instruction ID: 2530360bafa170a9d5e8074bf3c3c5079485a484cad24ccb9f0485aee5561d29
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9a5bc51b054fa3d2054b83f25f7423f08ec573233d163a5f5bb8c9366ee8d440
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FF41C671900614BADF11ABA5CD85DAF3679EF05329B20433BF412B10E2CB3C86529A6E
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00406752 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 475 406752-406772 GetSystemDirectoryW 476 406774 475->476 477 406776-406778 475->477 476->477 478 406789-40678b 477->478 479 40677a-406783 477->479 481 40678c-4067bf wsprintfW LoadLibraryExW 478->481 479->478 480 406785-406787 479->480 480->481
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406769
                                                                                                                                                                                                                                          • wsprintfW.USER32 ref: 004067A4
                                                                                                                                                                                                                                          • LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 004067B8
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                                                                                                                                                                                          • String ID: %s%S.dll$UXTHEME$\
                                                                                                                                                                                                                                          • API String ID: 2200240437-1946221925
                                                                                                                                                                                                                                          • Opcode ID: 40aa1e09304642b089aa1993992f232c43871fa513f82abce0c0f0efb2bd037b
                                                                                                                                                                                                                                          • Instruction ID: 07f60acf873a648e61080255fd3e200204736070213a9ab7c1209ab7057fe03e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 40aa1e09304642b089aa1993992f232c43871fa513f82abce0c0f0efb2bd037b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 27F0FC70540219AECB10AB68ED0DFAB366CA700304F10447AA64AF20D1EB789A24C798
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 004028AD Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402901
                                                                                                                                                                                                                                          • GlobalAlloc.KERNELBASE(00000040,?,00000000,?), ref: 0040291D
                                                                                                                                                                                                                                          • GlobalFree.KERNEL32(?), ref: 00402956
                                                                                                                                                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 00402969
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 00402981
                                                                                                                                                                                                                                          • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402995
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2667972263-0
                                                                                                                                                                                                                                          • Opcode ID: ca1daf0c84a02556f0ae0f0f0439a2864d74e37ac0f24e18a46676800f978646
                                                                                                                                                                                                                                          • Instruction ID: fa73a2a76dd28b4b8719808dd60f9f08d060129827b0ffc87b4efdc8f5ae5e12
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ca1daf0c84a02556f0ae0f0f0439a2864d74e37ac0f24e18a46676800f978646
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3D21BFB1D00124BBCF116FA5DE48D9E7E79EF09364F10023AF9607A2E1CB794D418B98
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0040591F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 517 40591f-40596a CreateDirectoryW 518 405970-40597d GetLastError 517->518 519 40596c-40596e 517->519 520 405997-405999 518->520 521 40597f-405993 SetFileSecurityW 518->521 519->520 521->519 522 405995 GetLastError 521->522 522->520
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 00405962
                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00405976
                                                                                                                                                                                                                                          • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 0040598B
                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00405995
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp, xrefs: 0040591F
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                                                                                                                                                                                                          • String ID: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp
                                                                                                                                                                                                                                          • API String ID: 3449924974-1162234379
                                                                                                                                                                                                                                          • Opcode ID: 4e538d1c76d2fdfb7cd0fd00a6572ed9e7029d57e55293966324597acc96cb40
                                                                                                                                                                                                                                          • Instruction ID: 649461beb8834c01a631d5941a9b92c7b7a92d05cb5a935181bdf460574ff338
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4e538d1c76d2fdfb7cd0fd00a6572ed9e7029d57e55293966324597acc96cb40
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DF011AB1C10619DADF009FA5C944BEFBFB4EF14354F00403AE545B6291DB789608CFA9
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00405F0D Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37COMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 523 405f0d-405f19 524 405f1a-405f4e GetTickCount GetTempFileNameW 523->524 525 405f50-405f52 524->525 526 405f5d-405f5f 524->526 525->524 527 405f54 525->527 528 405f57-405f5a 526->528 527->528
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetTickCount.KERNEL32 ref: 00405F2B
                                                                                                                                                                                                                                          • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe" /S,004034A3,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76233420,004036EF), ref: 00405F46
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • nsa, xrefs: 00405F1A
                                                                                                                                                                                                                                          • "C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe" /S, xrefs: 00405F0D
                                                                                                                                                                                                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00405F12, 00405F16
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CountFileNameTempTick
                                                                                                                                                                                                                                          • String ID: "C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe" /S$C:\Users\user\AppData\Local\Temp\$nsa
                                                                                                                                                                                                                                          • API String ID: 1716503409-1659813095
                                                                                                                                                                                                                                          • Opcode ID: 0c62091ad8b50aef506abc269e58e4a43f33256201187c1c154fac6de66d8f01
                                                                                                                                                                                                                                          • Instruction ID: 076564571966e4dc9ef4834731be4d502634ae0aeddccfca5b4533d1bab5a213
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0c62091ad8b50aef506abc269e58e4a43f33256201187c1c154fac6de66d8f01
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 14F09076601204FFEB009F59ED05E9BB7A8EB95750F10803AEE00F7250E6B49A548B68
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 004032DE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101COMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 529 4032de-403306 GetTickCount 530 403436-40343e call 402e8e 529->530 531 40330c-403337 call 40345d SetFilePointer 529->531 536 403440-403444 530->536 537 40333c-40334e 531->537 538 403350 537->538 539 403352-403360 call 403447 537->539 538->539 542 403366-403372 539->542 543 403428-40342b 539->543 544 403378-40337e 542->544 543->536 545 403380-403386 544->545 546 4033a9-4033c5 call 406943 544->546 545->546 547 403388-4033a8 call 402e8e 545->547 552 403431 546->552 553 4033c7-4033cf 546->553 547->546 554 403433-403434 552->554 555 4033d1-4033d9 call 405f90 553->555 556 4033f2-4033f8 553->556 554->536 560 4033de-4033e0 555->560 556->552 558 4033fa-4033fc 556->558 558->552 559 4033fe-403411 558->559 559->537 561 403417-403426 SetFilePointer 559->561 562 4033e2-4033ee 560->562 563 40342d-40342f 560->563 561->530 562->544 564 4033f0 562->564 563->554 564->559
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetTickCount.KERNEL32 ref: 004032F2
                                                                                                                                                                                                                                            • Part of subcall function 0040345D: SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040315B,?), ref: 0040346B
                                                                                                                                                                                                                                          • SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,00403208,00000004,00000000,00000000,?,?,00403182,000000FF,00000000,00000000,0040A230,?), ref: 00403325
                                                                                                                                                                                                                                          • SetFilePointer.KERNELBASE(04E4D9C2,00000000,00000000,00414ED0,00004000,?,00000000,00403208,00000004,00000000,00000000,?,?,00403182,000000FF,00000000), ref: 00403420
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: FilePointer$CountTick
                                                                                                                                                                                                                                          • String ID: !@
                                                                                                                                                                                                                                          • API String ID: 1092082344-1563068559
                                                                                                                                                                                                                                          • Opcode ID: f3fb30f2448ce3ccf57cf7b840c8449ec2ed2fd8cdee9bb7cd3145c6374fc973
                                                                                                                                                                                                                                          • Instruction ID: a2c2ae871b20a7f651e14226ae934804f023725c52e887911cb1b1382089a511
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f3fb30f2448ce3ccf57cf7b840c8449ec2ed2fd8cdee9bb7cd3145c6374fc973
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 54313872610215DBD721DF29EEC496A3BA9F74039A754433FE900F62E0CBB99D018B9D
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00402D44 Relevance: 6.1, APIs: 4, Instructions: 63registryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 565 402d44-402d6d call 406255 567 402d72-402d74 565->567 568 402d76-402d7c 567->568 569 402dec-402df0 567->569 570 402d98-402dad RegEnumKeyW 568->570 571 402d7e-402d80 570->571 572 402daf-402dc1 RegCloseKey call 4067c2 570->572 574 402dd0-402dde RegCloseKey 571->574 575 402d82-402d96 call 402d44 571->575 579 402de0-402de6 RegDeleteKeyW 572->579 580 402dc3-402dce 572->580 574->569 575->570 575->572 579->569 580->569
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402DA9
                                                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?,?,?), ref: 00402DB2
                                                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?,?,?), ref: 00402DD3
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Close$Enum
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 464197530-0
                                                                                                                                                                                                                                          • Opcode ID: 1fd681a58c600dee98d7f7e5161f1cc79c94fe5fc9469311f060f0f5731105c3
                                                                                                                                                                                                                                          • Instruction ID: 3410daaf41eb2a8de7896e1fb7aa518538b3e031ab7f3cb45a1fbd23233d04dd
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1fd681a58c600dee98d7f7e5161f1cc79c94fe5fc9469311f060f0f5731105c3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CE116A32500108FBDF12AB90CE09FEE7B7DAF44350F100076B905B61E0E7B59E21AB58
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 665 4015c1-4015d5 call 402c41 call 405d68 670 401631-401634 665->670 671 4015d7-4015ea call 405cea 665->671 673 401663-402250 call 401423 670->673 674 401636-401655 call 401423 call 4063e8 SetCurrentDirectoryW 670->674 679 401604-401607 call 40599c 671->679 680 4015ec-4015ef 671->680 687 402ac5-402ad4 673->687 688 40288b-402892 673->688 674->687 694 40165b-40165e 674->694 686 40160c-40160e 679->686 680->679 684 4015f1-4015f8 call 4059b9 680->684 684->679 698 4015fa-4015fd call 40591f 684->698 691 401610-401615 686->691 692 401627-40162f 686->692 688->687 696 401624 691->696 697 401617-401622 GetFileAttributesW 691->697 692->670 692->671 694->687 696->692 697->692 697->696 701 401602 698->701 701->686
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00405D68: CharNextW.USER32(?,?,00425F30,?,00405DDC,00425F30,00425F30,?,?,76232EE0,00405B1A,?,C:\Users\user\AppData\Local\Temp\,76232EE0,00000000), ref: 00405D76
                                                                                                                                                                                                                                            • Part of subcall function 00405D68: CharNextW.USER32(00000000), ref: 00405D7B
                                                                                                                                                                                                                                            • Part of subcall function 00405D68: CharNextW.USER32(00000000), ref: 00405D93
                                                                                                                                                                                                                                          • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A
                                                                                                                                                                                                                                            • Part of subcall function 0040591F: CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 00405962
                                                                                                                                                                                                                                          • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\Temp\nsj3575.tmp,?,00000000,000000F0), ref: 0040164D
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • C:\Users\user\AppData\Local\Temp\nsj3575.tmp, xrefs: 00401640
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                                                                                                                                                                                                          • String ID: C:\Users\user\AppData\Local\Temp\nsj3575.tmp
                                                                                                                                                                                                                                          • API String ID: 1892508949-363374086
                                                                                                                                                                                                                                          • Opcode ID: c670449cb20163be3cb3cb34affd8c81282aa0e3ca4a40f31796d9e50139b1da
                                                                                                                                                                                                                                          • Instruction ID: 0139da5d792eeb989572d84d187c25f91b4f70b2bd1842bf542401118de2a59f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c670449cb20163be3cb3cb34affd8c81282aa0e3ca4a40f31796d9e50139b1da
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0511E631504511EBCF30AFA4CD4159F36A0EF15329B29453BFA45B22F1DB3E49419B5D
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00405DC5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 702 405dc5-405de0 call 4063e8 call 405d68 707 405de2-405de4 702->707 708 405de6-405df3 call 40667c 702->708 709 405e3e-405e40 707->709 712 405e03-405e07 708->712 713 405df5-405dfb 708->713 715 405e1d-405e26 lstrlenW 712->715 713->707 714 405dfd-405e01 713->714 714->707 714->712 716 405e28-405e3c call 405cbd GetFileAttributesW 715->716 717 405e09-405e10 call 40672b 715->717 716->709 722 405e12-405e15 717->722 723 405e17-405e18 call 405d09 717->723 722->707 722->723 723->715
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 004063E8: lstrcpynW.KERNEL32(?,?,00000400,00403576,00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 004063F5
                                                                                                                                                                                                                                            • Part of subcall function 00405D68: CharNextW.USER32(?,?,00425F30,?,00405DDC,00425F30,00425F30,?,?,76232EE0,00405B1A,?,C:\Users\user\AppData\Local\Temp\,76232EE0,00000000), ref: 00405D76
                                                                                                                                                                                                                                            • Part of subcall function 00405D68: CharNextW.USER32(00000000), ref: 00405D7B
                                                                                                                                                                                                                                            • Part of subcall function 00405D68: CharNextW.USER32(00000000), ref: 00405D93
                                                                                                                                                                                                                                          • lstrlenW.KERNEL32(00425F30,00000000,00425F30,00425F30,?,?,76232EE0,00405B1A,?,C:\Users\user\AppData\Local\Temp\,76232EE0,00000000), ref: 00405E1E
                                                                                                                                                                                                                                          • GetFileAttributesW.KERNELBASE(00425F30,00425F30,00425F30,00425F30,00425F30,00425F30,00000000,00425F30,00425F30,?,?,76232EE0,00405B1A,?,C:\Users\user\AppData\Local\Temp\,76232EE0), ref: 00405E2E
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                                                                                                                                                                                                          • String ID: 0_B
                                                                                                                                                                                                                                          • API String ID: 3248276644-2128305573
                                                                                                                                                                                                                                          • Opcode ID: df6e64e4f6769b316d4c1c7beb25aaa03b2c49ca2ab4503c480f7fe4b4eab687
                                                                                                                                                                                                                                          • Instruction ID: e2ef3bf648e1011fa726b67e088789f036b8871ba300d86fb9c867912b04298b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: df6e64e4f6769b316d4c1c7beb25aaa03b2c49ca2ab4503c480f7fe4b4eab687
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B4F0F439109E5116D62233365D09BEF0548CF82354B5A853BFC91B22D2DB3C8A539DFE
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 004062B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,?,00000800,00000002,00422708,00000000,?,?,"C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exe" https://www.bitcomet.com/client/install-stats/?l=en_us&file=,?,?,0040652A,80000002), ref: 004062FC
                                                                                                                                                                                                                                          • RegCloseKey.KERNELBASE(?,?,0040652A,80000002,Software\Microsoft\Windows\CurrentVersion,"C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exe" https://www.bitcomet.com/client/install-stats/?l=en_us&file=,"C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exe" https://www.bitcomet.com/client/install-stats/?l=en_us&file=,"C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exe" https://www.bitcomet.com/client/install-stats/?l=en_us&file=,00000000,00422708), ref: 00406307
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • "C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exe" https://www.bitcomet.com/client/install-stats/?l=en_us&file=, xrefs: 004062BD
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CloseQueryValue
                                                                                                                                                                                                                                          • String ID: "C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exe" https://www.bitcomet.com/client/install-stats/?l=en_us&file=
                                                                                                                                                                                                                                          • API String ID: 3356406503-3961127665
                                                                                                                                                                                                                                          • Opcode ID: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
                                                                                                                                                                                                                                          • Instruction ID: efe3e51cb47fe95fa6bbb83f3cb46ebf457b8c4b35673ac5825ceff03b23bf8b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B301717250020AEBDF218F55CD09EDB3FA9EF55354F114039FD15A2150E778D964CBA4
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 004059D1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426730,Error launching installer), ref: 004059FA
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 00405A07
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • Error launching installer, xrefs: 004059E4
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CloseCreateHandleProcess
                                                                                                                                                                                                                                          • String ID: Error launching installer
                                                                                                                                                                                                                                          • API String ID: 3712363035-66219284
                                                                                                                                                                                                                                          • Opcode ID: 6d78ed6c6b667bfe634139d4e18f22187190c1a967eebebbcf2d401a0833c7e8
                                                                                                                                                                                                                                          • Instruction ID: 166b032e71181ba573d10d742cd21a74b10ba840f41c43b266edefbe5b435367
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6d78ed6c6b667bfe634139d4e18f22187190c1a967eebebbcf2d401a0833c7e8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E5E04FB0A102097FEB009B64ED49F7B76ACFB04208F404531BD00F2150D774A8208A7C
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00403A43 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • FreeLibrary.KERNELBASE(?,C:\Users\user\AppData\Local\Temp\,00000000,76232EE0,00403A1A,76233420,00403819,00000006,?,00000006,00000008,0000000A), ref: 00403A5D
                                                                                                                                                                                                                                          • GlobalFree.KERNEL32(?), ref: 00403A64
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00403A55
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Free$GlobalLibrary
                                                                                                                                                                                                                                          • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                                                                                                                                                                          • API String ID: 1100898210-3936084776
                                                                                                                                                                                                                                          • Opcode ID: e06207bb45b670d34af272b3fb1259f6a40c1f68299225e6b4906b67dd7614d2
                                                                                                                                                                                                                                          • Instruction ID: 7abb624b42f0eb5bf3103b67fd66c27476adae564a61ccebc81435f3e7eba37d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e06207bb45b670d34af272b3fb1259f6a40c1f68299225e6b4906b67dd7614d2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 73E0EC326111205BC6229F59AD44B5E776D6F58B22F0A023AE8C07B26087745D938F98
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00406F27 Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: db40346bc9fd20083a39152eff8b5ac78f5cdc0ebc59631a5c9ad52422038ace
                                                                                                                                                                                                                                          • Instruction ID: 2bd06e12bed6e0bcd81d630d0cd78bd49004ac77cb8b5ebb757de7108a839e92
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: db40346bc9fd20083a39152eff8b5ac78f5cdc0ebc59631a5c9ad52422038ace
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1DA14471E04228CBDF28CFA8C8446ADBBB1FF44305F14806ED856BB281D7786A86DF45
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00407128 Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9d32937a43efcd2dea5d1fc698e3fcc0023127280f8acdc5c544d8c7d1790a46
                                                                                                                                                                                                                                          • Instruction ID: f1da02a2f8b93330a3d469e31e6e9edf047fa596270f1f1d86c95cc791e20b04
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9d32937a43efcd2dea5d1fc698e3fcc0023127280f8acdc5c544d8c7d1790a46
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AA910271E04228CBEF28CF98C8447ADBBB1FB45305F14816AD856BB291C778A986DF45
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00406E3E Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 67d6f810e310069c411d265ffcddf6abea8090fb20e8d2db1667143610fe5bd5
                                                                                                                                                                                                                                          • Instruction ID: fb1d02f26201205f5bfcbd3029eb7cfad7cca69a3f8c46de7b35964bdd0c3f7d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 67d6f810e310069c411d265ffcddf6abea8090fb20e8d2db1667143610fe5bd5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 18814571E04228DFDF24CFA8C844BADBBB1FB45305F24816AD856BB291C7389986DF45
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00406943 Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5328a0701a0a32b67c374057837e60552721ea1a6811a44abe83e42546375677
                                                                                                                                                                                                                                          • Instruction ID: 55fc176551b00f8465723d30588461dcf2fc1d3195b414c524ee7a2fcbdbe87b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5328a0701a0a32b67c374057837e60552721ea1a6811a44abe83e42546375677
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 39815971E04228DBEF24CFA8C844BADBBB1FB45305F14816AD856BB2C1C7786986DF45
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00406D91 Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a445a859154d96951751bba7131c1a69e0b73c0895ac35a4e96b2d7ee743491b
                                                                                                                                                                                                                                          • Instruction ID: 7645ab34ef40ba223d211dbe726f8302725d3f31b3e808d93cc70016d3e0d248
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a445a859154d96951751bba7131c1a69e0b73c0895ac35a4e96b2d7ee743491b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 10711471E04228DBDF24CF98C8447ADBBB1FF49305F15806AD856BB281C7389A86DF45
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00406EAF Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: cd7d90a79d0f10410712768d5bba8e0713d9e8f593557aa9bf16db43d4616d0f
                                                                                                                                                                                                                                          • Instruction ID: a4e19b7408f2815589132e7e2b866ae2b9c8caa40868d81b8a4623295251dea3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cd7d90a79d0f10410712768d5bba8e0713d9e8f593557aa9bf16db43d4616d0f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0D712571E04218DBEF28CF98C844BADBBB1FF45305F15806AD856BB281C7389986DF45
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00406DFB Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 08b8d2b65a0c1c30b5e83c7ea62cdb0658c0fab8542c410d93f606ef21acc8e7
                                                                                                                                                                                                                                          • Instruction ID: 979076adb26e5f1e3e7a9458f232081f51f9a0722543042d1d726f4d31452a21
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 08b8d2b65a0c1c30b5e83c7ea62cdb0658c0fab8542c410d93f606ef21acc8e7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 50714871E04228DBEF28CF98C8447ADBBB1FF45305F15806AD856BB281C7386A46DF45
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00402032 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 0040205D
                                                                                                                                                                                                                                            • Part of subcall function 00405450: lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000,?), ref: 00405488
                                                                                                                                                                                                                                            • Part of subcall function 00405450: lstrlenW.KERNEL32(00402F08,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000), ref: 00405498
                                                                                                                                                                                                                                            • Part of subcall function 00405450: lstrcatW.KERNEL32(00422708,00402F08), ref: 004054AB
                                                                                                                                                                                                                                            • Part of subcall function 00405450: SetWindowTextW.USER32(00422708,00422708), ref: 004054BD
                                                                                                                                                                                                                                            • Part of subcall function 00405450: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E3
                                                                                                                                                                                                                                            • Part of subcall function 00405450: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054FD
                                                                                                                                                                                                                                            • Part of subcall function 00405450: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040550B
                                                                                                                                                                                                                                          • LoadLibraryExW.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 0040206E
                                                                                                                                                                                                                                          • FreeLibrary.KERNELBASE(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 004020EB
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 334405425-0
                                                                                                                                                                                                                                          • Opcode ID: c0091ceae9cfbdad611b36e7acbab474ec2c1bafca6550aebcba3b122e164ceb
                                                                                                                                                                                                                                          • Instruction ID: 38390b8595ebf5dc4f6cf14c4d4b7ed92d06cc21542818b97b262269bef072d5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c0091ceae9cfbdad611b36e7acbab474ec2c1bafca6550aebcba3b122e164ceb
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DC218331D00215BACF20AFA5CE4D99E7A70BF04358F60413BF511B51E0DBBD8991DA6E
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00401B77 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GlobalFree.KERNELBASE(00000000), ref: 00401BE7
                                                                                                                                                                                                                                          • GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401BF9
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • "C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exe" https://www.bitcomet.com/client/install-stats/?l=en_us&file=, xrefs: 00401B9E, 00401BA4, 00401BBE
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Global$AllocFree
                                                                                                                                                                                                                                          • String ID: "C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exe" https://www.bitcomet.com/client/install-stats/?l=en_us&file=
                                                                                                                                                                                                                                          • API String ID: 3394109436-3961127665
                                                                                                                                                                                                                                          • Opcode ID: f7405ea9e476423423cde41a6620a17073824cabe1c2d7eedde19d286f021b37
                                                                                                                                                                                                                                          • Instruction ID: 4b9c6e54fa6809cb214bd66434af352d7e41d31d349781cb692caa9f676c35e6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f7405ea9e476423423cde41a6620a17073824cabe1c2d7eedde19d286f021b37
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6E217B73A00200D7DB20EB94CEC995E73A4AB45314765053BF506F32D1DBB8E851DBAD
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 004023E4 Relevance: 4.6, APIs: 3, Instructions: 64registrystringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • lstrlenW.KERNEL32(0040B5D8,00000023,00000011,00000002), ref: 0040242F
                                                                                                                                                                                                                                          • RegSetValueExW.KERNELBASE(?,?,?,?,0040B5D8,00000000,00000011,00000002), ref: 0040246F
                                                                                                                                                                                                                                          • RegCloseKey.KERNELBASE(?,?,?,0040B5D8,00000000,00000011,00000002), ref: 00402557
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CloseValuelstrlen
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2655323295-0
                                                                                                                                                                                                                                          • Opcode ID: d3a746a6bbac3f82573acd3c3756226cf7e5e9da6551c7a7d6b941e2adb29f52
                                                                                                                                                                                                                                          • Instruction ID: 2320c74fc41ffeb716861e397aa06506e2c1d49fdd3331f7b5a779c93e7e4390
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d3a746a6bbac3f82573acd3c3756226cf7e5e9da6551c7a7d6b941e2adb29f52
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C4118471E00104BEEB10AFA5DE89EAEBB74EB44754F11803BF504B71D1DBB89D419B68
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 004024F8 Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 0040252B
                                                                                                                                                                                                                                          • RegEnumValueW.ADVAPI32(00000000,00000000,?,?), ref: 0040253E
                                                                                                                                                                                                                                          • RegCloseKey.KERNELBASE(?,?,?,0040B5D8,00000000,00000011,00000002), ref: 00402557
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Enum$CloseValue
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 397863658-0
                                                                                                                                                                                                                                          • Opcode ID: 962e8dbebea2d0e856bbe812d5e95e45bdf7d67f5620c7d5b12d357826d7025c
                                                                                                                                                                                                                                          • Instruction ID: 69a0bd767b5398a5b54c194fc83da7942780fa4e63ecbf8b5358c30743fc2944
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 962e8dbebea2d0e856bbe812d5e95e45bdf7d67f5620c7d5b12d357826d7025c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4B017171904204ABEB149F95DE88ABF7AB8EF80348F10403EF505B61D0DAB85E419B69
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00405AB2 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00405EB9: GetFileAttributesW.KERNELBASE(?,?,00405ABE,?,?,00000000,00405C94,?,?,?,?), ref: 00405EBE
                                                                                                                                                                                                                                            • Part of subcall function 00405EB9: SetFileAttributesW.KERNELBASE(?,00000000), ref: 00405ED2
                                                                                                                                                                                                                                          • RemoveDirectoryW.KERNELBASE(?,?,?,00000000,00405C94), ref: 00405ACD
                                                                                                                                                                                                                                          • DeleteFileW.KERNELBASE(?,?,?,00000000,00405C94), ref: 00405AD5
                                                                                                                                                                                                                                          • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405AED
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: File$Attributes$DeleteDirectoryRemove
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1655745494-0
                                                                                                                                                                                                                                          • Opcode ID: ee26814d0e89ccba1e58ecbc8b5a308cd0754c8ce938ef3c5221310ac7d33209
                                                                                                                                                                                                                                          • Instruction ID: 2750ea62591d09886f88fd119c0b0bc2019991ac89723f17ff6745a253c15028
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ee26814d0e89ccba1e58ecbc8b5a308cd0754c8ce938ef3c5221310ac7d33209
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6CE0E531305A9056C7106B759A48B5B3AD8EF8E324F060B3BF592F11C0CBB845068FBD
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 004039E6 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 20COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(FFFFFFFF,76233420,00403819,00000006,?,00000006,00000008,0000000A), ref: 004039F8
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(FFFFFFFF,76233420,00403819,00000006,?,00000006,00000008,0000000A), ref: 00403A0C
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • C:\Users\user\AppData\Local\Temp\nsj3575.tmp\, xrefs: 00403A1C
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CloseHandle
                                                                                                                                                                                                                                          • String ID: C:\Users\user\AppData\Local\Temp\nsj3575.tmp\
                                                                                                                                                                                                                                          • API String ID: 2962429428-1504313281
                                                                                                                                                                                                                                          • Opcode ID: da7f190e0ba48897d51f9f236d42b5a012c81fce650680f21bb6a2f903491feb
                                                                                                                                                                                                                                          • Instruction ID: 07f3e9af7cf607af2e3904837c536be1bfb9407632cbf68cc23e2c2b6ee6fca0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: da7f190e0ba48897d51f9f236d42b5a012c81fce650680f21bb6a2f903491feb
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8FE0863564071496C524EF7CBD4D5853A185B853357204326F0B9F20F0C7389A675E99
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 004031D6 Relevance: 3.1, APIs: 2, Instructions: 88COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • SetFilePointer.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,?,?,00403182,000000FF,00000000,00000000,0040A230,?), ref: 004031FB
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: FilePointer
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 973152223-0
                                                                                                                                                                                                                                          • Opcode ID: 131c812928c6c35335534bcb02e2daa94b136faef127733fd811d82e412704b4
                                                                                                                                                                                                                                          • Instruction ID: f938e70baf20f89fc7421c1cbc4d65c8cbb1a4a40291e2e844035b0cdbff1196
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 131c812928c6c35335534bcb02e2daa94b136faef127733fd811d82e412704b4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 53314B30200219BBDB109F95ED84ADA3E68EB04759F20857EF905E62D0D6789A509BA9
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00402484 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,?,?), ref: 004024B5
                                                                                                                                                                                                                                          • RegCloseKey.KERNELBASE(?,?,?,0040B5D8,00000000,00000011,00000002), ref: 00402557
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CloseQueryValue
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3356406503-0
                                                                                                                                                                                                                                          • Opcode ID: 63b64fe82c2f511c8169af5ec8c0190f19a921c94039209ad64b866aaad41420
                                                                                                                                                                                                                                          • Instruction ID: 8b4d26b48c61f4aea5aea8b01f6eaa690eaa4425e6198d6413393360261ed691
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 63b64fe82c2f511c8169af5ec8c0190f19a921c94039209ad64b866aaad41420
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 61119431910205EBDB14DF64CA585AE7BB4EF44348F20843FE445B72D0D6B85A81EB5A
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: MessageSend
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3850602802-0
                                                                                                                                                                                                                                          • Opcode ID: 23ed1533968369fb0e08a97211bc38e5ec6adcca8744e4a1682e6817b2d67833
                                                                                                                                                                                                                                          • Instruction ID: 4945fb4554c9d48a14a82d28c5fc4c127f2c3d85d8aa5c2a63fae023cf5e702c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 23ed1533968369fb0e08a97211bc38e5ec6adcca8744e4a1682e6817b2d67833
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AB01F431724210EBEB199B789D04B2A3698E710714F104A7FF855F62F1DA78CC529B5D
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0040238E Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 004023B0
                                                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 004023B9
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CloseDeleteValue
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2831762973-0
                                                                                                                                                                                                                                          • Opcode ID: a00859f013a8106156cc87040160a2b11e5294e3cc8a521d5b70861134e176e9
                                                                                                                                                                                                                                          • Instruction ID: 92c71ce55c792e737e0c56b3c5c8c262173643586798c2a655fc457b9e75749a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a00859f013a8106156cc87040160a2b11e5294e3cc8a521d5b70861134e176e9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5FF0F632E041109BE700BBA49B8EABE72A49B44314F29003FFE42F31C0CAF85D42976D
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 004067C2 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(?,00000020,?,00403517,0000000A), ref: 004067D4
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 004067EF
                                                                                                                                                                                                                                            • Part of subcall function 00406752: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406769
                                                                                                                                                                                                                                            • Part of subcall function 00406752: wsprintfW.USER32 ref: 004067A4
                                                                                                                                                                                                                                            • Part of subcall function 00406752: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 004067B8
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2547128583-0
                                                                                                                                                                                                                                          • Opcode ID: 71f8146864d8eff68e3c3a37d405e8799170f9f4b34abf11e2e746abc88ab69b
                                                                                                                                                                                                                                          • Instruction ID: 7b80e99db610fb1a261844a57c40f0e669857592e3492eb3b2a0c0f7ce0b312d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 71f8146864d8eff68e3c3a37d405e8799170f9f4b34abf11e2e746abc88ab69b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 14E086325042115BD21057745E48D3762AC9AC4704307843EF556F3041DB78DC35B66E
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00405EDE Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetFileAttributesW.KERNELBASE(00000003,00402F73,C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe,80000000,00000003), ref: 00405EE2
                                                                                                                                                                                                                                          • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F04
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: File$AttributesCreate
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 415043291-0
                                                                                                                                                                                                                                          • Opcode ID: 133c91a1dbaf88dbfd801214b1c0a7aa23d67a900b7421546c440c33baf3910c
                                                                                                                                                                                                                                          • Instruction ID: 5201df1ff3c0a0bd0294a98706b79309786c42e99614e685d4e3591f63f4d9e2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 133c91a1dbaf88dbfd801214b1c0a7aa23d67a900b7421546c440c33baf3910c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D5D09E31254601AFEF098F20DE16F2E7AA2EB84B04F11552CB7C2940E0DA7158199B15
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00405EB9 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetFileAttributesW.KERNELBASE(?,?,00405ABE,?,?,00000000,00405C94,?,?,?,?), ref: 00405EBE
                                                                                                                                                                                                                                          • SetFileAttributesW.KERNELBASE(?,00000000), ref: 00405ED2
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AttributesFile
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3188754299-0
                                                                                                                                                                                                                                          • Opcode ID: abb1859115452ae29e15aed1e23886b2a100c548e8c413493f0cbd9ae974b18a
                                                                                                                                                                                                                                          • Instruction ID: 9f0be338fa0adf84d9e7c2e76c5bc37ea56a51acd28ddc8ab22a7b028afbcef4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: abb1859115452ae29e15aed1e23886b2a100c548e8c413493f0cbd9ae974b18a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 13D01272504420AFC2502738EF0C89FBF95DB543717124B35FAE9A22F0CB304C568A98
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0040599C Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • CreateDirectoryW.KERNELBASE(?,00000000,00403498,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76233420,004036EF,?,00000006,00000008,0000000A), ref: 004059A2
                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 004059B0
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CreateDirectoryErrorLast
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1375471231-0
                                                                                                                                                                                                                                          • Opcode ID: 2a128b8619e21daab1f352946d406dfe7ea7319ba132ee6f2f415100985951e7
                                                                                                                                                                                                                                          • Instruction ID: 01a40f06620425e1c555583f7199589d3835b04f5715874dbca4219b9923c3a9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2a128b8619e21daab1f352946d406dfe7ea7319ba132ee6f2f415100985951e7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D6C04C71216502DAF7115F31DF09B177A50AB60751F11843AA146E11A4DA349455D92D
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0040230C Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 00402343
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: PrivateProfileStringWrite
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 390214022-0
                                                                                                                                                                                                                                          • Opcode ID: 8d5bed1eaa9c21b7d608f8919ca3b143956f4a650d469f74d9cd9ecffb6d68ea
                                                                                                                                                                                                                                          • Instruction ID: c1725c34c84eed099ded2eadaed0aef72a921931f8640c1422412bc8ca1d20e4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8d5bed1eaa9c21b7d608f8919ca3b143956f4a650d469f74d9cd9ecffb6d68ea
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 89E086315046246BEB1436F10F8DABF10589B54305B19053FBE46B61D7D9FC0D81526D
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00406283 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402CF2,00000000,?,?), ref: 004062AC
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Create
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2289755597-0
                                                                                                                                                                                                                                          • Opcode ID: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
                                                                                                                                                                                                                                          • Instruction ID: b492cd94208fe9a136032c47e7ca6226b28abdd7f17191690e67bc203102cabe
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 94E0E672010209BEDF195F50DD0AD7B371DEB04304F11492EFA06D4051E6B5AD706634
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00405F61 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • ReadFile.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,00414ED0,0040CED0,0040345A,0040A230,0040A230,0040335E,00414ED0,00004000,?,00000000,00403208), ref: 00405F75
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: FileRead
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2738559852-0
                                                                                                                                                                                                                                          • Opcode ID: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
                                                                                                                                                                                                                                          • Instruction ID: 5f0138a6a2c6563494c064dd15accf188ef387db15323854b273470b931b092f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7AE0EC3221025AAFDF109E959D04EFB7B6CEB05360F044836FD15E6150D675E8619BA4
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00405F90 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • WriteFile.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,0040EC21,0040CED0,004033DE,0040CED0,0040EC21,00414ED0,00004000,?,00000000,00403208,00000004), ref: 00405FA4
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: FileWrite
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3934441357-0
                                                                                                                                                                                                                                          • Opcode ID: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
                                                                                                                                                                                                                                          • Instruction ID: 11bffb161eade2b6c2cb4bf4b25223a29cd6195b7324502744f40ed25e3c63a9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 20E08C3220125BEBEF119E518C00AEBBB6CFB003A0F004432FD11E3180D234E9208BA8
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00406255 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,00422708,?,?,004062E3,00422708,00000000,?,?,"C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exe" https://www.bitcomet.com/client/install-stats/?l=en_us&file=,?), ref: 00406279
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Open
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 71445658-0
                                                                                                                                                                                                                                          • Opcode ID: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
                                                                                                                                                                                                                                          • Instruction ID: 7481b87947078d819ae160a747d33610cb99cd3c2235475b1dc937127606ac98
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C1D0123210420DBBDF11AE90DD01FAB372DAF14714F114826FE06A4091D775D530AB14
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 004061AE Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • MoveFileExW.KERNELBASE(?,?,00000005,00405CAC,?,00000000,000000F1,?,?,?,?,?), ref: 004061B8
                                                                                                                                                                                                                                            • Part of subcall function 00406034: CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,004061CF,?,?), ref: 0040606F
                                                                                                                                                                                                                                            • Part of subcall function 00406034: GetShortPathNameW.KERNEL32(?,00426DC8,00000400), ref: 00406078
                                                                                                                                                                                                                                            • Part of subcall function 00406034: GetShortPathNameW.KERNEL32(?,004275C8,00000400), ref: 00406095
                                                                                                                                                                                                                                            • Part of subcall function 00406034: wsprintfA.USER32 ref: 004060B3
                                                                                                                                                                                                                                            • Part of subcall function 00406034: GetFileSize.KERNEL32(00000000,00000000,004275C8,C0000000,00000004,004275C8,?,?,?,?,?), ref: 004060EE
                                                                                                                                                                                                                                            • Part of subcall function 00406034: GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 004060FD
                                                                                                                                                                                                                                            • Part of subcall function 00406034: lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406135
                                                                                                                                                                                                                                            • Part of subcall function 00406034: SetFilePointer.KERNEL32(0040A590,00000000,00000000,00000000,00000000,004269C8,00000000,-0000000A,0040A590,00000000,[Rename],00000000,00000000,00000000), ref: 0040618B
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: File$NamePathShort$AllocCloseGlobalHandleMovePointerSizelstrcpywsprintf
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1930046112-0
                                                                                                                                                                                                                                          • Opcode ID: 5c2981ee78e9eb91a8062b4a72072cacb1ad6239914bb5b9483364dec19f5c12
                                                                                                                                                                                                                                          • Instruction ID: 5aa6f9974597dedd37f8aaa805523440b9eb5e1f4d2a52af426e9488f745fafc
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5c2981ee78e9eb91a8062b4a72072cacb1ad6239914bb5b9483364dec19f5c12
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5AD0C731148201BFDB155B10DD0591B7FA5FB50355F11C43EF585540B1EB328475DF05
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0040345D Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040315B,?), ref: 0040346B
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: FilePointer
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 973152223-0
                                                                                                                                                                                                                                          • Opcode ID: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
                                                                                                                                                                                                                                          • Instruction ID: c7266a3154837caca095f11e7777f6dda2278cbf6cff4ee7664d3894fc3aa091
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: ECB01271240300BFDA214F00DF09F057B21AB90700F10C034B348380F086711035EB0D
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00401F06 Relevance: 1.3, APIs: 1, Instructions: 37COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00405450: lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000,?), ref: 00405488
                                                                                                                                                                                                                                            • Part of subcall function 00405450: lstrlenW.KERNEL32(00402F08,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000), ref: 00405498
                                                                                                                                                                                                                                            • Part of subcall function 00405450: lstrcatW.KERNEL32(00422708,00402F08), ref: 004054AB
                                                                                                                                                                                                                                            • Part of subcall function 00405450: SetWindowTextW.USER32(00422708,00422708), ref: 004054BD
                                                                                                                                                                                                                                            • Part of subcall function 00405450: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E3
                                                                                                                                                                                                                                            • Part of subcall function 00405450: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054FD
                                                                                                                                                                                                                                            • Part of subcall function 00405450: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040550B
                                                                                                                                                                                                                                            • Part of subcall function 004059D1: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426730,Error launching installer), ref: 004059FA
                                                                                                                                                                                                                                            • Part of subcall function 004059D1: CloseHandle.KERNEL32(?), ref: 00405A07
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401F4D
                                                                                                                                                                                                                                            • Part of subcall function 00406873: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406884
                                                                                                                                                                                                                                            • Part of subcall function 00406873: GetExitCodeProcess.KERNEL32(?,?), ref: 004068A6
                                                                                                                                                                                                                                            • Part of subcall function 0040632F: wsprintfW.USER32 ref: 0040633C
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2972824698-0
                                                                                                                                                                                                                                          • Opcode ID: 5e5b465333fec5b7874037cf2aafd3ecfbfec6c2ca92792f458a5198b9edb466
                                                                                                                                                                                                                                          • Instruction ID: 10a4e636b43d3a3985a1d0cc463e40b1499b59a482d83744678f668e8fa05086
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5e5b465333fec5b7874037cf2aafd3ecfbfec6c2ca92792f458a5198b9edb466
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9BF09632905011D7CB20FBA189445DE77A49F40318B24417BF901B21D1C77D4D419A6E
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                                                                          Function 0040558F Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284windowclipboardmemoryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,00000403), ref: 004055ED
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EE), ref: 004055FC
                                                                                                                                                                                                                                          • GetClientRect.USER32(?,?), ref: 00405639
                                                                                                                                                                                                                                          • GetSystemMetrics.USER32(00000002), ref: 00405640
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00001061,00000000,?), ref: 00405661
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405672
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405685
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405693
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00001024,00000000,?), ref: 004056A6
                                                                                                                                                                                                                                          • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 004056C8
                                                                                                                                                                                                                                          • ShowWindow.USER32(?,00000008), ref: 004056DC
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EC), ref: 004056FD
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040570D
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405726
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405732
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003F8), ref: 0040560B
                                                                                                                                                                                                                                            • Part of subcall function 00404394: SendMessageW.USER32(00000028,?,00000001,004041BF), ref: 004043A2
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EC), ref: 0040574F
                                                                                                                                                                                                                                          • CreateThread.KERNEL32(00000000,00000000,Function_00005523,00000000), ref: 0040575D
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00405764
                                                                                                                                                                                                                                          • ShowWindow.USER32(00000000), ref: 00405788
                                                                                                                                                                                                                                          • ShowWindow.USER32(?,00000008), ref: 0040578D
                                                                                                                                                                                                                                          • ShowWindow.USER32(00000008), ref: 004057D7
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040580B
                                                                                                                                                                                                                                          • CreatePopupMenu.USER32 ref: 0040581C
                                                                                                                                                                                                                                          • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405830
                                                                                                                                                                                                                                          • GetWindowRect.USER32(?,?), ref: 00405850
                                                                                                                                                                                                                                          • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405869
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00001073,00000000,?), ref: 004058A1
                                                                                                                                                                                                                                          • OpenClipboard.USER32(00000000), ref: 004058B1
                                                                                                                                                                                                                                          • EmptyClipboard.USER32 ref: 004058B7
                                                                                                                                                                                                                                          • GlobalAlloc.KERNEL32(00000042,00000000), ref: 004058C3
                                                                                                                                                                                                                                          • GlobalLock.KERNEL32(00000000), ref: 004058CD
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00001073,00000000,?), ref: 004058E1
                                                                                                                                                                                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 00405901
                                                                                                                                                                                                                                          • SetClipboardData.USER32(0000000D,00000000), ref: 0040590C
                                                                                                                                                                                                                                          • CloseClipboard.USER32 ref: 00405912
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                                                                                                                                                                                          • String ID: (7B${
                                                                                                                                                                                                                                          • API String ID: 590372296-525222780
                                                                                                                                                                                                                                          • Opcode ID: 1d1f977673fe441afad02026140f53aaec566053b515a361d3c8f7f727d52ca3
                                                                                                                                                                                                                                          • Instruction ID: ef9837d71be30d97cad1ad5ee6bf48d4101bac37d77d0ad6e239d9f51a57dc01
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1d1f977673fe441afad02026140f53aaec566053b515a361d3c8f7f727d52ca3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C4B16A70900608FFDB11AFA0DD85AAE7B79FB48355F00403AFA45B61A0CB754E52DF68
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00404DCC Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003F9), ref: 00404DE4
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,00000408), ref: 00404DEF
                                                                                                                                                                                                                                          • GlobalAlloc.KERNEL32(00000040,?), ref: 00404E39
                                                                                                                                                                                                                                          • LoadBitmapW.USER32(0000006E), ref: 00404E4C
                                                                                                                                                                                                                                          • SetWindowLongW.USER32(?,000000FC,004053C4), ref: 00404E65
                                                                                                                                                                                                                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404E79
                                                                                                                                                                                                                                          • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404E8B
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00001109,00000002), ref: 00404EA1
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404EAD
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404EBF
                                                                                                                                                                                                                                          • DeleteObject.GDI32(00000000), ref: 00404EC2
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404EED
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404EF9
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404F8F
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404FBA
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404FCE
                                                                                                                                                                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00404FFD
                                                                                                                                                                                                                                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0040500B
                                                                                                                                                                                                                                          • ShowWindow.USER32(?,00000005), ref: 0040501C
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00000419,00000000,?), ref: 00405119
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040517E
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405193
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 004051B7
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 004051D7
                                                                                                                                                                                                                                          • ImageList_Destroy.COMCTL32(?), ref: 004051EC
                                                                                                                                                                                                                                          • GlobalFree.KERNEL32(?), ref: 004051FC
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405275
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00001102,?,?), ref: 0040531E
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040532D
                                                                                                                                                                                                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 0040534D
                                                                                                                                                                                                                                          • ShowWindow.USER32(?,00000000), ref: 0040539B
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003FE), ref: 004053A6
                                                                                                                                                                                                                                          • ShowWindow.USER32(00000000), ref: 004053AD
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                                                                                                                                                                                          • String ID: $M$N
                                                                                                                                                                                                                                          • API String ID: 1638840714-813528018
                                                                                                                                                                                                                                          • Opcode ID: fb644b25ca39ae204efa7e1d1243337108994715b0d322cb34e58838b66aab8b
                                                                                                                                                                                                                                          • Instruction ID: 7f687e55a7f93217ddba54fde82f382d197ef8b4c31ab339cf60f2545021b201
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fb644b25ca39ae204efa7e1d1243337108994715b0d322cb34e58838b66aab8b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DD028DB0A00609EFDF209F94CD85AAE7BB5FB44354F10807AE611BA2E0C7798D52CF58
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00404850 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 275stringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003FB), ref: 0040489F
                                                                                                                                                                                                                                          • SetWindowTextW.USER32(00000000,?), ref: 004048C9
                                                                                                                                                                                                                                          • SHBrowseForFolderW.SHELL32(?), ref: 0040497A
                                                                                                                                                                                                                                          • CoTaskMemFree.OLE32(00000000), ref: 00404985
                                                                                                                                                                                                                                          • lstrcmpiW.KERNEL32("C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exe" https://www.bitcomet.com/client/install-stats/?l=en_us&file=,00423728,00000000,?,?), ref: 004049B7
                                                                                                                                                                                                                                          • lstrcatW.KERNEL32(?,"C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exe" https://www.bitcomet.com/client/install-stats/?l=en_us&file=), ref: 004049C3
                                                                                                                                                                                                                                          • SetDlgItemTextW.USER32(?,000003FB,?), ref: 004049D5
                                                                                                                                                                                                                                            • Part of subcall function 00405A32: GetDlgItemTextW.USER32(?,?,00000400,00404A0C), ref: 00405A45
                                                                                                                                                                                                                                            • Part of subcall function 0040667C: CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe" /S,00403480,C:\Users\user\AppData\Local\Temp\,76233420,004036EF,?,00000006,00000008,0000000A), ref: 004066DF
                                                                                                                                                                                                                                            • Part of subcall function 0040667C: CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004066EE
                                                                                                                                                                                                                                            • Part of subcall function 0040667C: CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe" /S,00403480,C:\Users\user\AppData\Local\Temp\,76233420,004036EF,?,00000006,00000008,0000000A), ref: 004066F3
                                                                                                                                                                                                                                            • Part of subcall function 0040667C: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe" /S,00403480,C:\Users\user\AppData\Local\Temp\,76233420,004036EF,?,00000006,00000008,0000000A), ref: 00406706
                                                                                                                                                                                                                                          • GetDiskFreeSpaceW.KERNEL32(004216F8,?,?,0000040F,?,004216F8,004216F8,?,00000001,004216F8,?,?,000003FB,?), ref: 00404A98
                                                                                                                                                                                                                                          • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404AB3
                                                                                                                                                                                                                                            • Part of subcall function 00404C0C: lstrlenW.KERNEL32(00423728,00423728,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404CAD
                                                                                                                                                                                                                                            • Part of subcall function 00404C0C: wsprintfW.USER32 ref: 00404CB6
                                                                                                                                                                                                                                            • Part of subcall function 00404C0C: SetDlgItemTextW.USER32(?,00423728), ref: 00404CC9
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • "C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exe" https://www.bitcomet.com/client/install-stats/?l=en_us&file=, xrefs: 004049B1, 004049B6, 004049C1
                                                                                                                                                                                                                                          • A, xrefs: 00404973
                                                                                                                                                                                                                                          • C:\Program Files\BitComet, xrefs: 004049A0
                                                                                                                                                                                                                                          • (7B, xrefs: 0040494D
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                                                                                                                          • String ID: "C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exe" https://www.bitcomet.com/client/install-stats/?l=en_us&file=$(7B$A$C:\Program Files\BitComet
                                                                                                                                                                                                                                          • API String ID: 2624150263-1092296875
                                                                                                                                                                                                                                          • Opcode ID: 60ed21fe2f328070877fcf4fb1291f079d9e461e65f212612ce38389da6d49e8
                                                                                                                                                                                                                                          • Instruction ID: 217fbe9c53fcac7a38d38ba6b36a95d3c52d9e466bb1b0d29fe77156d884dce9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 60ed21fe2f328070877fcf4fb1291f079d9e461e65f212612ce38389da6d49e8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 01A161F1A00205ABDB11EFA5C985AAF77B8EF84315F10803BF611B62D1D77C9A418B6D
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00402868 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402877
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: FileFindFirst
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1974802433-0
                                                                                                                                                                                                                                          • Opcode ID: 6fd2962910cdf18594a7907c322fc030c9e7a26b232b9d9b5d327205302d7dac
                                                                                                                                                                                                                                          • Instruction ID: e6f127318fd58302517648c6e406f49d0db104963aa8d987e753e5cb7f87edca
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6fd2962910cdf18594a7907c322fc030c9e7a26b232b9d9b5d327205302d7dac
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EDF08271A14104EBDB10DBA4DA499AEB378EF14314F60467BF545F21E0DBB45D809B2A
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00403E86 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346windowstringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403EC2
                                                                                                                                                                                                                                          • ShowWindow.USER32(?), ref: 00403EDF
                                                                                                                                                                                                                                          • DestroyWindow.USER32 ref: 00403EF3
                                                                                                                                                                                                                                          • SetWindowLongW.USER32(?,00000000,00000000), ref: 00403F0F
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,?), ref: 00403F30
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403F44
                                                                                                                                                                                                                                          • IsWindowEnabled.USER32(00000000), ref: 00403F4B
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,00000001), ref: 00403FF9
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,00000002), ref: 00404003
                                                                                                                                                                                                                                          • SetClassLongW.USER32(?,000000F2,?), ref: 0040401D
                                                                                                                                                                                                                                          • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 0040406E
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,00000003), ref: 00404114
                                                                                                                                                                                                                                          • ShowWindow.USER32(00000000,?), ref: 00404135
                                                                                                                                                                                                                                          • EnableWindow.USER32(?,?), ref: 00404147
                                                                                                                                                                                                                                          • EnableWindow.USER32(?,?), ref: 00404162
                                                                                                                                                                                                                                          • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00404178
                                                                                                                                                                                                                                          • EnableMenuItem.USER32(00000000), ref: 0040417F
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00404197
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004041AA
                                                                                                                                                                                                                                          • lstrlenW.KERNEL32(00423728,?,00423728,00000000), ref: 004041D4
                                                                                                                                                                                                                                          • SetWindowTextW.USER32(?,00423728), ref: 004041E8
                                                                                                                                                                                                                                          • ShowWindow.USER32(?,0000000A), ref: 0040431C
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
                                                                                                                                                                                                                                          • String ID: (7B
                                                                                                                                                                                                                                          • API String ID: 184305955-3251261122
                                                                                                                                                                                                                                          • Opcode ID: 42b69af187e06dbbd4ac4a762ea4715538cd3e369663267481291b142cb35f12
                                                                                                                                                                                                                                          • Instruction ID: 1e1a27d6975204c591228116fe5edee23a209105d2649c04e919f1d7e5095d09
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 42b69af187e06dbbd4ac4a762ea4715538cd3e369663267481291b142cb35f12
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6FC1A2B1644200FBDB216F61EE85D2A3BB8EB94706F40053EFA41B11F1CB7958529B6D
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0040451E Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 004045BC
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003E8), ref: 004045D0
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004045ED
                                                                                                                                                                                                                                          • GetSysColor.USER32(?), ref: 004045FE
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 0040460C
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040461A
                                                                                                                                                                                                                                          • lstrlenW.KERNEL32(?), ref: 0040461F
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040462C
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404641
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,0000040A), ref: 0040469A
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000), ref: 004046A1
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003E8), ref: 004046CC
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 0040470F
                                                                                                                                                                                                                                          • LoadCursorW.USER32(00000000,00007F02), ref: 0040471D
                                                                                                                                                                                                                                          • SetCursor.USER32(00000000), ref: 00404720
                                                                                                                                                                                                                                          • LoadCursorW.USER32(00000000,00007F00), ref: 00404739
                                                                                                                                                                                                                                          • SetCursor.USER32(00000000), ref: 0040473C
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000111,00000001,00000000), ref: 0040476B
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000010,00000000,00000000), ref: 0040477D
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • "C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exe" https://www.bitcomet.com/client/install-stats/?l=en_us&file=, xrefs: 004046FB
                                                                                                                                                                                                                                          • N, xrefs: 004046BA
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                                                                                                                                                                                                          • String ID: "C:\Users\user\AppData\Local\Temp\nsj3575.tmp\BitComet_stats.exe" https://www.bitcomet.com/client/install-stats/?l=en_us&file=$N
                                                                                                                                                                                                                                          • API String ID: 3103080414-3271344644
                                                                                                                                                                                                                                          • Opcode ID: c2d943e7d3074a80d89972f065d7b0d6c6867904808fb573d17a53c74c23d30b
                                                                                                                                                                                                                                          • Instruction ID: 26ae409e5f73424340e4bb55f347a499eb46e427c8d4328441e026d38e95c6c2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c2d943e7d3074a80d89972f065d7b0d6c6867904808fb573d17a53c74c23d30b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4B6173B1900209BFDB109F60DD85EAA7B69FB84314F00853AFB05772E0D7789D52CB58
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                                                                                                                                                                                          • BeginPaint.USER32(?,?), ref: 00401047
                                                                                                                                                                                                                                          • GetClientRect.USER32(?,?), ref: 0040105B
                                                                                                                                                                                                                                          • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                                                                                                                                                                                          • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                                                                                                                                                                                          • DeleteObject.GDI32(?), ref: 004010ED
                                                                                                                                                                                                                                          • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                                                                                                                                                                                                          • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                                                                                                                                                                                          • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                                                                                                                                                                                          • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                                                                                                                                                                                          • DrawTextW.USER32(00000000,00429240,000000FF,00000010,00000820), ref: 00401156
                                                                                                                                                                                                                                          • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                                                                                                                                                                                          • DeleteObject.GDI32(?), ref: 00401165
                                                                                                                                                                                                                                          • EndPaint.USER32(?,?), ref: 0040116E
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                                                                                                                                                                                          • String ID: F
                                                                                                                                                                                                                                          • API String ID: 941294808-1304234792
                                                                                                                                                                                                                                          • Opcode ID: a62f14d8607f0cab4b909ce482175ba86ddefa50def87cd09a38214d4056f576
                                                                                                                                                                                                                                          • Instruction ID: b35030fe9107d9a8359b932f7918d2348922827c9ca57aaae851fe5b21190c6b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a62f14d8607f0cab4b909ce482175ba86ddefa50def87cd09a38214d4056f576
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 92418A71800249AFCF058FA5DE459AFBBB9FF44310F00842AF991AA1A0C738E955DFA4
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00406034 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,004061CF,?,?), ref: 0040606F
                                                                                                                                                                                                                                          • GetShortPathNameW.KERNEL32(?,00426DC8,00000400), ref: 00406078
                                                                                                                                                                                                                                            • Part of subcall function 00405E43: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E53
                                                                                                                                                                                                                                            • Part of subcall function 00405E43: lstrlenA.KERNEL32(00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E85
                                                                                                                                                                                                                                          • GetShortPathNameW.KERNEL32(?,004275C8,00000400), ref: 00406095
                                                                                                                                                                                                                                          • wsprintfA.USER32 ref: 004060B3
                                                                                                                                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000,004275C8,C0000000,00000004,004275C8,?,?,?,?,?), ref: 004060EE
                                                                                                                                                                                                                                          • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 004060FD
                                                                                                                                                                                                                                          • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406135
                                                                                                                                                                                                                                          • SetFilePointer.KERNEL32(0040A590,00000000,00000000,00000000,00000000,004269C8,00000000,-0000000A,0040A590,00000000,[Rename],00000000,00000000,00000000), ref: 0040618B
                                                                                                                                                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 0040619C
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004061A3
                                                                                                                                                                                                                                            • Part of subcall function 00405EDE: GetFileAttributesW.KERNELBASE(00000003,00402F73,C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe,80000000,00000003), ref: 00405EE2
                                                                                                                                                                                                                                            • Part of subcall function 00405EDE: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F04
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                                                                                                                                                                                                          • String ID: %ls=%ls$[Rename]
                                                                                                                                                                                                                                          • API String ID: 2171350718-461813615
                                                                                                                                                                                                                                          • Opcode ID: e35d52778e3551e7046882a86a607d9f87e6bbb1e98b27cedc4e65ae0c3bcd27
                                                                                                                                                                                                                                          • Instruction ID: 8c4bc4cab4d3408e43c29de3b383fd3cef376d344e04ab2aaf2f470794b42cbb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e35d52778e3551e7046882a86a607d9f87e6bbb1e98b27cedc4e65ae0c3bcd27
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 34313770200719BFD2206B619D48F6B3A6CEF45704F16043EFA46FA2D3DA3C99158ABD
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0040667C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe" /S,00403480,C:\Users\user\AppData\Local\Temp\,76233420,004036EF,?,00000006,00000008,0000000A), ref: 004066DF
                                                                                                                                                                                                                                          • CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004066EE
                                                                                                                                                                                                                                          • CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe" /S,00403480,C:\Users\user\AppData\Local\Temp\,76233420,004036EF,?,00000006,00000008,0000000A), ref: 004066F3
                                                                                                                                                                                                                                          • CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe" /S,00403480,C:\Users\user\AppData\Local\Temp\,76233420,004036EF,?,00000006,00000008,0000000A), ref: 00406706
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • "C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe" /S, xrefs: 0040667C
                                                                                                                                                                                                                                          • *?|<>/":, xrefs: 004066CE
                                                                                                                                                                                                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 0040667D, 00406682
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Char$Next$Prev
                                                                                                                                                                                                                                          • String ID: "C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe" /S$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                                                                                                                                                                                                          • API String ID: 589700163-1119855904
                                                                                                                                                                                                                                          • Opcode ID: 6f1dc59467bf7cdf849013f1baa50d92fe1cb62039c7f0915d7e3466f5f67e46
                                                                                                                                                                                                                                          • Instruction ID: ccb021e8c97aa0e4e9f296cc8cc4b0d2e06c32826977e33acd3911ee1a404cd3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6f1dc59467bf7cdf849013f1baa50d92fe1cb62039c7f0915d7e3466f5f67e46
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E011C82580061295DB302B548C44B77A2E8EF55764F52843FE985B32C1EB7D5CE28ABD
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 004043C6 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetWindowLongW.USER32(?,000000EB), ref: 004043E3
                                                                                                                                                                                                                                          • GetSysColor.USER32(00000000), ref: 00404421
                                                                                                                                                                                                                                          • SetTextColor.GDI32(?,00000000), ref: 0040442D
                                                                                                                                                                                                                                          • SetBkMode.GDI32(?,?), ref: 00404439
                                                                                                                                                                                                                                          • GetSysColor.USER32(?), ref: 0040444C
                                                                                                                                                                                                                                          • SetBkColor.GDI32(?,?), ref: 0040445C
                                                                                                                                                                                                                                          • DeleteObject.GDI32(?), ref: 00404476
                                                                                                                                                                                                                                          • CreateBrushIndirect.GDI32(?), ref: 00404480
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2320649405-0
                                                                                                                                                                                                                                          • Opcode ID: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
                                                                                                                                                                                                                                          • Instruction ID: 4d8d1a64c5805e8a020b3744e793f2033a9a6b6b0a681029562fed9dd316a9da
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 722131715007049BCB319F68D948B5BBBF8AF81714B148A2EEE96E26E0D738D944CB54
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0040264A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • ReadFile.KERNEL32(?,?,?,?), ref: 004026B6
                                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004026F1
                                                                                                                                                                                                                                          • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 00402714
                                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 0040272A
                                                                                                                                                                                                                                            • Part of subcall function 00405FBF: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405FD5
                                                                                                                                                                                                                                          • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 004027D6
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: File$Pointer$ByteCharMultiWide$Read
                                                                                                                                                                                                                                          • String ID: 9
                                                                                                                                                                                                                                          • API String ID: 163830602-2366072709
                                                                                                                                                                                                                                          • Opcode ID: cadc99d36448674c458fec809f66667da68abd58cfb7d9264b13fa75ded684dc
                                                                                                                                                                                                                                          • Instruction ID: add249696b334c0fceafe0529c612de3b1c59f5eaafd60b3ba6c21ea99dd66a9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cadc99d36448674c458fec809f66667da68abd58cfb7d9264b13fa75ded684dc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FD510A74D10219AEDF21DF95DA88AAEB779FF04304F50443BE901B72D0D7B89982CB59
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00405450 Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000,?), ref: 00405488
                                                                                                                                                                                                                                          • lstrlenW.KERNEL32(00402F08,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000), ref: 00405498
                                                                                                                                                                                                                                          • lstrcatW.KERNEL32(00422708,00402F08), ref: 004054AB
                                                                                                                                                                                                                                          • SetWindowTextW.USER32(00422708,00422708), ref: 004054BD
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E3
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054FD
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00001013,?,00000000), ref: 0040550B
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2531174081-0
                                                                                                                                                                                                                                          • Opcode ID: d8bd542d8f5d0add287beae510a16995646733a1dc03fc5179ed0d48c47eb8dc
                                                                                                                                                                                                                                          • Instruction ID: e73fa1987b6059f35b704de59c80f6892b54c3d1ee51518932a2041d94d0b0cb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d8bd542d8f5d0add287beae510a16995646733a1dc03fc5179ed0d48c47eb8dc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BE21A171900558BACB119F95DD84ACFBFB5EF84314F10803AF904B22A1C3798A91CFA8
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00402E8E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • DestroyWindow.USER32(00000000,00000000), ref: 00402EA9
                                                                                                                                                                                                                                          • GetTickCount.KERNEL32 ref: 00402EC7
                                                                                                                                                                                                                                          • wsprintfW.USER32 ref: 00402EF5
                                                                                                                                                                                                                                            • Part of subcall function 00405450: lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000,?), ref: 00405488
                                                                                                                                                                                                                                            • Part of subcall function 00405450: lstrlenW.KERNEL32(00402F08,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000), ref: 00405498
                                                                                                                                                                                                                                            • Part of subcall function 00405450: lstrcatW.KERNEL32(00422708,00402F08), ref: 004054AB
                                                                                                                                                                                                                                            • Part of subcall function 00405450: SetWindowTextW.USER32(00422708,00422708), ref: 004054BD
                                                                                                                                                                                                                                            • Part of subcall function 00405450: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E3
                                                                                                                                                                                                                                            • Part of subcall function 00405450: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054FD
                                                                                                                                                                                                                                            • Part of subcall function 00405450: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040550B
                                                                                                                                                                                                                                          • CreateDialogParamW.USER32(0000006F,00000000,00402DF3,00000000), ref: 00402F19
                                                                                                                                                                                                                                          • ShowWindow.USER32(00000000,00000005), ref: 00402F27
                                                                                                                                                                                                                                            • Part of subcall function 00402E72: MulDiv.KERNEL32(00000000,00000064,00129B82), ref: 00402E87
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
                                                                                                                                                                                                                                          • String ID: ... %d%%
                                                                                                                                                                                                                                          • API String ID: 722711167-2449383134
                                                                                                                                                                                                                                          • Opcode ID: c40ddff33436de44b244b2b19f9e8da7546f4e0328de08243a0837e5050f2c6b
                                                                                                                                                                                                                                          • Instruction ID: c65c9f61eb329069142d3a49436c3393aeffd9891ae55f37d91fa0e4ac25720a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c40ddff33436de44b244b2b19f9e8da7546f4e0328de08243a0837e5050f2c6b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1A016170941614EBC7226B60EE4DA9B7B68BB01745B50413FF841F12E0CAB84459DBEE
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00404D1A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404D35
                                                                                                                                                                                                                                          • GetMessagePos.USER32 ref: 00404D3D
                                                                                                                                                                                                                                          • ScreenToClient.USER32(?,?), ref: 00404D57
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404D69
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404D8F
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Message$Send$ClientScreen
                                                                                                                                                                                                                                          • String ID: f
                                                                                                                                                                                                                                          • API String ID: 41195575-1993550816
                                                                                                                                                                                                                                          • Opcode ID: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
                                                                                                                                                                                                                                          • Instruction ID: ac2b37e4453cd55ff3643614bd1240a9a451636028a825994647dd398b99f398
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 23015E71940218BADB00DB94DD85FFEBBBCAF95711F10412BBA50F62D0D7B499018BA4
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00402DF3 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402E11
                                                                                                                                                                                                                                          • wsprintfW.USER32 ref: 00402E45
                                                                                                                                                                                                                                          • SetWindowTextW.USER32(?,?), ref: 00402E55
                                                                                                                                                                                                                                          • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E67
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Text$ItemTimerWindowwsprintf
                                                                                                                                                                                                                                          • String ID: unpacking data: %d%%$verifying installer: %d%%
                                                                                                                                                                                                                                          • API String ID: 1451636040-1158693248
                                                                                                                                                                                                                                          • Opcode ID: a591fce2f88080881549ac7e7473da6278debd618655821d08f98b44133a3158
                                                                                                                                                                                                                                          • Instruction ID: 1bfa7b94c56a1c823be81e007cf4dd9dcc28a4463181553f30e61efe61dd31fb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a591fce2f88080881549ac7e7473da6278debd618655821d08f98b44133a3158
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 30F0317064020CABDF206F60DD4ABEE3B69EB40319F00803AFA45B51D0DBB999598F99
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00404C0C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • lstrlenW.KERNEL32(00423728,00423728,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404CAD
                                                                                                                                                                                                                                          • wsprintfW.USER32 ref: 00404CB6
                                                                                                                                                                                                                                          • SetDlgItemTextW.USER32(?,00423728), ref: 00404CC9
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ItemTextlstrlenwsprintf
                                                                                                                                                                                                                                          • String ID: %u.%u%s%s$(7B
                                                                                                                                                                                                                                          • API String ID: 3540041739-1320723960
                                                                                                                                                                                                                                          • Opcode ID: c06007edea0c83b5e0931fd45a2cd42dabd82a11b0b4461ae96ab8921206da46
                                                                                                                                                                                                                                          • Instruction ID: eedca0a42859d703ec1426aadcab00983e9769f6aa36ce56d5d2522b0312c54d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c06007edea0c83b5e0931fd45a2cd42dabd82a11b0b4461ae96ab8921206da46
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A711D873A0412837EB00556DAC45EDE3298EB85374F254237FA26F31D1D9798C6282E8
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00401DB9 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetDC.USER32(?), ref: 00401DBC
                                                                                                                                                                                                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DD6
                                                                                                                                                                                                                                          • MulDiv.KERNEL32(00000000,00000000), ref: 00401DDE
                                                                                                                                                                                                                                          • ReleaseDC.USER32(?,00000000), ref: 00401DEF
                                                                                                                                                                                                                                          • CreateFontIndirectW.GDI32(0040CDD8), ref: 00401E3E
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CapsCreateDeviceFontIndirectRelease
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3808545654-0
                                                                                                                                                                                                                                          • Opcode ID: e8aeef341752f35f6f278e7796ab08014b9ac4723c71950966d24e93e9008032
                                                                                                                                                                                                                                          • Instruction ID: 863f18fc6204ba506076eb1f746ada73c94881a68b515e1873f2d1072bd1cf43
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e8aeef341752f35f6f278e7796ab08014b9ac4723c71950966d24e93e9008032
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 15017171944240EFE701ABB4AF8ABD97FB4AF55301F10457EE242F61E2CA7804459F2D
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00401D5D Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,?), ref: 00401D63
                                                                                                                                                                                                                                          • GetClientRect.USER32(00000000,?), ref: 00401D70
                                                                                                                                                                                                                                          • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D91
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D9F
                                                                                                                                                                                                                                          • DeleteObject.GDI32(00000000), ref: 00401DAE
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1849352358-0
                                                                                                                                                                                                                                          • Opcode ID: f8e0c1d3071f89bffdcd2d635822fb410905a1edc8d2ce6cb8a0a09a78f20d84
                                                                                                                                                                                                                                          • Instruction ID: 8bbc6a183a468c813578a114873fb97f9d5ca0b11dae6a70aa3aa56fe52826a6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f8e0c1d3071f89bffdcd2d635822fb410905a1edc8d2ce6cb8a0a09a78f20d84
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4BF0FF72A04518AFDB01DBE4DF88CEEB7BCEB48301B14047AF641F61A0CA749D519B38
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00401C1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C8F
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CA7
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: MessageSend$Timeout
                                                                                                                                                                                                                                          • String ID: !
                                                                                                                                                                                                                                          • API String ID: 1777923405-2657877971
                                                                                                                                                                                                                                          • Opcode ID: 204806375d4f16312a37781d02af86e184349cdc68ded53cac09897120414cdc
                                                                                                                                                                                                                                          • Instruction ID: ef61c68cd4a6cc3a6f3726d4b558d534156d03c1c75d5f5b51cfe904c604fa23
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 204806375d4f16312a37781d02af86e184349cdc68ded53cac09897120414cdc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A621B471948209AEEF049FA5DA4AABD7BB4EB44304F14443EF605B61D0D7B845409B18
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00402598 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69stringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(?,?,0040B5D8,000000FF,C:\Users\user\AppData\Local\Temp\nsj3575.tmp,00000400,?,?,00000021), ref: 004025E8
                                                                                                                                                                                                                                          • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsj3575.tmp,?,?,0040B5D8,000000FF,C:\Users\user\AppData\Local\Temp\nsj3575.tmp,00000400,?,?,00000021), ref: 004025F3
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ByteCharMultiWidelstrlen
                                                                                                                                                                                                                                          • String ID: C:\Users\user\AppData\Local\Temp\nsj3575.tmp
                                                                                                                                                                                                                                          • API String ID: 3109718747-363374086
                                                                                                                                                                                                                                          • Opcode ID: 74dacd12b4a24cfb73fd48792ba77bb428cc6d1ed50c00179c1822de178a8f1b
                                                                                                                                                                                                                                          • Instruction ID: c13fbae436403556d6c48d38c5ac6db5007ae9437622b5a65b164b2cac9ab4a1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 74dacd12b4a24cfb73fd48792ba77bb428cc6d1ed50c00179c1822de178a8f1b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FB110B72A00301BADB106BB18E8999F7664AF44359F20443BF502F21D0D9FC89416B5E
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00405CBD Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403492,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76233420,004036EF,?,00000006,00000008,0000000A), ref: 00405CC3
                                                                                                                                                                                                                                          • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403492,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76233420,004036EF,?,00000006,00000008,0000000A), ref: 00405CCD
                                                                                                                                                                                                                                          • lstrcatW.KERNEL32(?,0040A014), ref: 00405CDF
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00405CBD
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CharPrevlstrcatlstrlen
                                                                                                                                                                                                                                          • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                                                                                                                                                                          • API String ID: 2659869361-3936084776
                                                                                                                                                                                                                                          • Opcode ID: cc3b6fad2320eb0d125534955cb1fe8af3638bf69e103b669ecb1462063790d4
                                                                                                                                                                                                                                          • Instruction ID: 595fb0ef6d3bfc82903baa2f142a0de03b6946227050b98ce465681b6cfad29b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cc3b6fad2320eb0d125534955cb1fe8af3638bf69e103b669ecb1462063790d4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AED0A771101630AAC111AB448D04CDF63ACEE45304342003BF601B70A2CB7C1D6287FD
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 004053C4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • IsWindowVisible.USER32(?), ref: 004053F3
                                                                                                                                                                                                                                          • CallWindowProcW.USER32(?,?,?,?), ref: 00405444
                                                                                                                                                                                                                                            • Part of subcall function 004043AB: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004043BD
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Window$CallMessageProcSendVisible
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3748168415-3916222277
                                                                                                                                                                                                                                          • Opcode ID: 36caebe1fe8aa1eff7ff321662443c514d6827d4f2801b7b393fcb4226acda68
                                                                                                                                                                                                                                          • Instruction ID: 343f6187318c33bb175646012d6cb398530476c6c15fe8dd96994d534b9a6b17
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 36caebe1fe8aa1eff7ff321662443c514d6827d4f2801b7b393fcb4226acda68
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CC0171B1200609ABDF305F11DD84B9B3666EBD4356F508037FA00761E1C77A8DD29A6E
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00405D09 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • lstrlenW.KERNEL32(80000000,C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp,00402F9C,C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp,C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp,C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe,C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe,80000000,00000003), ref: 00405D0F
                                                                                                                                                                                                                                          • CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp,00402F9C,C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp,C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp,C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe,C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\BitComet_2.07_setup.exe,80000000,00000003), ref: 00405D1F
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp, xrefs: 00405D09
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CharPrevlstrlen
                                                                                                                                                                                                                                          • String ID: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp
                                                                                                                                                                                                                                          • API String ID: 2709904686-1162234379
                                                                                                                                                                                                                                          • Opcode ID: e4f7a16c0d3aeb27420e4918e5816bacf7b9900a4c75110623d7ea7fd9e9117e
                                                                                                                                                                                                                                          • Instruction ID: 65148869c9b5617484fe42b3676c909fd92059a2a8224d2a454660f99163d925
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e4f7a16c0d3aeb27420e4918e5816bacf7b9900a4c75110623d7ea7fd9e9117e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A3D0A7B7410920EAD3126B04DC04D9F73ACEF51300B46843BE840A7171D7785CD18BEC
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00405E43 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E53
                                                                                                                                                                                                                                          • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405E6B
                                                                                                                                                                                                                                          • CharNextA.USER32(00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E7C
                                                                                                                                                                                                                                          • lstrlenA.KERNEL32(00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E85
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.2558051382.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558013707.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558093806.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000040A000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000425000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000427000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000435000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558136321.0000000000441000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000006.00000002.2558367677.0000000000449000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_400000_BitComet_2.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: lstrlen$CharNextlstrcmpi
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 190613189-0
                                                                                                                                                                                                                                          • Opcode ID: 7e71a0af936693ae9f9191b5a8beeb80aa55241a483ed2e2c495a4152d25f7df
                                                                                                                                                                                                                                          • Instruction ID: 3eb9f18af2c16f81f4dc7877ab3147293eaebe45f2d41041cd024b5e05e36bdf
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7e71a0af936693ae9f9191b5a8beeb80aa55241a483ed2e2c495a4152d25f7df
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4AF0C831100514AFC7029B94DD4099FBBA8DF06354B25407AE844FB211D634DF01AB98
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                                                                          Function 00401000 Relevance: 7.6, Strings: 6, Instructions: 129COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000008.00000002.2510825818.0000000000401000.00000020.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000008.00000002.2510807930.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000008.00000002.2510943819.0000000000596000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000008.00000002.2511254091.0000000000677000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000008.00000002.2511300448.0000000000679000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000008.00000002.2511332965.000000000067B000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000008.00000002.2511332965.0000000000680000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000008.00000002.2511389200.0000000000682000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_8_2_400000_BitCometService.jbxd
                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: Auth$Genu$cAMD$enti$ineI$ntel
                                                                                                                                                                                                                                          • API String ID: 0-1714976780
                                                                                                                                                                                                                                          • Opcode ID: c77623a033a8abfacda9f66ad4af76de5be2dd884c722bfa4f30fc1e450f6a10
                                                                                                                                                                                                                                          • Instruction ID: c59423c1d96c5e2f9c2686e45b52b7fbe6d71f2a21420d71dddde3701b428d54
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c77623a033a8abfacda9f66ad4af76de5be2dd884c722bfa4f30fc1e450f6a10
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A1314C77B145560BEB3C98789C843AE20835359334F2AC73BD676EB6E4E47DCC814198
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00401440 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000008.00000002.2510825818.0000000000401000.00000020.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000008.00000002.2510807930.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000008.00000002.2510943819.0000000000596000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000008.00000002.2511254091.0000000000677000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000008.00000002.2511300448.0000000000679000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000008.00000002.2511332965.000000000067B000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000008.00000002.2511332965.0000000000680000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000008.00000002.2511389200.0000000000682000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_8_2_400000_BitCometService.jbxd
                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 2da9b68ae21d7da327531f1b00c3901689e103dcf450733b6abf74322a886aec
                                                                                                                                                                                                                                          • Instruction ID: dc411a64e3c73bd228d32a490a76efacea924a4573c5897d61d91e0bac13f7f4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2da9b68ae21d7da327531f1b00c3901689e103dcf450733b6abf74322a886aec
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6A01D1323083524FC700CD3C9A40796FBEAEB96368F194A79F409E32AAD2799D158790
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 004013D0 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000008.00000002.2510825818.0000000000401000.00000020.00000001.01000000.00000011.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000008.00000002.2510807930.0000000000400000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000008.00000002.2510943819.0000000000596000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000008.00000002.2511254091.0000000000677000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000008.00000002.2511300448.0000000000679000.00000008.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000008.00000002.2511332965.000000000067B000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000008.00000002.2511332965.0000000000680000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000008.00000002.2511389200.0000000000682000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_8_2_400000_BitCometService.jbxd
                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b3c66d063c414dce9f4c6c17efb052cc7cce3d4e7c6ea25b824a8b16a68bfe09
                                                                                                                                                                                                                                          • Instruction ID: daa30563b6241f8b0c41b551014eb33d8f28dbacc7f24aaa78fe62835a08a5e4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b3c66d063c414dce9f4c6c17efb052cc7cce3d4e7c6ea25b824a8b16a68bfe09
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 28F0BE322083228FC300CE28E540693FBE9EB963A8F110A76F009E7265C7399E01CBD0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Execution Graph

                                                                                                                                                                                                                                          Execution Coverage:14.3%
                                                                                                                                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                          Signature Coverage:4.2%
                                                                                                                                                                                                                                          Total number of Nodes:1474
                                                                                                                                                                                                                                          Total number of Limit Nodes:24
                                                                                                                                                                                                                                          execution_graph 7001 40a4c2 7002 40a502 7001->7002 7004 40a4ca DeleteCriticalSection 7001->7004 7004->7002 7005 404cc3 7011 404bc1 7005->7011 7008 401e3a 15 API calls 7009 404cf0 SetWindowLongW 7008->7009 7010 404d0b 7009->7010 7012 404bd2 EnterCriticalSection 7011->7012 7013 404bce 7011->7013 7014 404bee GetCurrentThreadId 7012->7014 7016 404bf6 7012->7016 7013->7008 7013->7010 7014->7016 7015 40145c LeaveCriticalSection 7015->7013 7016->7015 7291 4023c6 7292 4023da GetClientRect BitBlt DeleteDC 7291->7292 7293 40241e 7291->7293 7294 402421 ReleaseDC 7292->7294 7293->7294 6476 40244c InvalidateRgn 6477 402e52 6478 402e82 6477->6478 6479 402e78 6477->6479 6478->6479 6482 402e9c GetStockObject 6478->6482 6480 40ab6a __except_handler4 5 API calls 6479->6480 6481 402fb3 6480->6481 6483 402ecb GetObjectW 6482->6483 6484 402ead GetStockObject 6482->6484 6485 402f15 6483->6485 6484->6483 6486 402eb5 6484->6486 6487 402f21 GetDC 6485->6487 6488 402f3f GetDesktopWindow GetDC 6485->6488 6489 401d2c GetLastError 6486->6489 6487->6486 6490 402f2e 6487->6490 6488->6486 6491 402f58 GetDesktopWindow 6488->6491 6492 402eba 6489->6492 6495 402f67 ReleaseDC #420 6490->6495 6491->6495 6493 401125 HeapFree 6492->6493 6493->6479 6496 401125 HeapFree 6495->6496 6496->6479 7017 40a0d3 GetVersionExA 7018 40a106 InterlockedExchange 7017->7018 7020 40a12b 7018->7020 7021 40ab6a __except_handler4 5 API calls 7020->7021 7022 40a135 7021->7022 7147 405f53 7150 405f28 7147->7150 7151 403691 ctype DestroyAcceleratorTable 7150->7151 7152 405f40 7151->7152 6497 403c54 6498 403c6a 6497->6498 6499 403c60 6497->6499 6498->6499 6500 401207 2 API calls 6498->6500 6501 403c93 #6 6500->6501 6503 403cb7 #7 6501->6503 6509 403cf3 #6 6501->6509 6504 403cc6 #7 CoTaskMemAlloc 6503->6504 6503->6509 6506 403ce8 6504->6506 6507 403cdc #6 6504->6507 6508 401082 __VEC_memcpy 6506->6508 6507->6499 6508->6509 6509->6499 7153 407554 7154 40751f ctype 6 API calls 7153->7154 7155 40755c ctype 7154->7155 7295 40d5d4 RtlUnwind 6105 404dd5 6106 404ddf 6105->6106 6107 404df0 DestroyWindow 6106->6107 6108 404df7 6106->6108 6107->6108 7156 405d55 7158 405d66 7156->7158 7157 405e74 7158->7157 7159 405da6 7158->7159 7166 4058d5 7158->7166 7162 405dc7 7159->7162 7172 405937 7159->7172 7162->7157 7163 405dfc GetClientRect GetClientRect 7162->7163 7164 405e37 GetParent 7163->7164 7165 405e1a CreateAcceleratorTableW 7163->7165 7164->7157 7165->7164 7167 4058e5 7166->7167 7168 4058de 7166->7168 7169 40a687 HeapAlloc 7167->7169 7168->7159 7170 4058f6 7169->7170 7170->7168 7178 40291e 7170->7178 7173 405947 7172->7173 7177 405940 7172->7177 7174 40a687 HeapAlloc 7173->7174 7175 405958 7174->7175 7176 40291e InitializeCriticalSection 7175->7176 7175->7177 7176->7177 7177->7162 7179 401ce1 InitializeCriticalSection 7178->7179 7180 402929 7179->7180 7180->7168 6180 40aadb 6185 40ccc5 6180->6185 6186 40ccf5 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 6185->6186 6187 40cce8 6185->6187 6189 40cd34 6186->6189 6187->6186 6188 40aae3 6187->6188 6190 40aa2e GetCommandLineW 6188->6190 6189->6188 6191 40aa42 ExitProcess 6190->6191 6192 40aa4a 6190->6192 6208 40a559 6192->6208 6195 40aa4f 6196 40aa79 6195->6196 6197 40aa5e CharNextW 6195->6197 6200 40aa71 6196->6200 6201 40aa7f CharNextW 6196->6201 6198 40aa92 CharNextW 6197->6198 6199 40aa6c 6197->6199 6198->6200 6199->6197 6199->6200 6200->6198 6202 40aa9f GetStartupInfoW 6200->6202 6201->6200 6201->6201 6203 40aab3 GetModuleHandleA 6202->6203 6214 409ae0 6203->6214 6209 40a565 _memset __get_sse2_info 6208->6209 6210 40a579 GetVersionExA InitializeCriticalSection EnterCriticalSection GetProcessHeap 6209->6210 6211 40a5b9 6210->6211 6237 40a601 LeaveCriticalSection 6211->6237 6213 40a5f6 __get_sse2_info 6213->6195 6215 409b4f MessageBoxExW 6214->6215 6217 409aeb 6214->6217 6216 409b67 6215->6216 6229 40a848 6216->6229 6217->6215 6218 409afe CoInitialize DefWindowProcW 6217->6218 6238 406533 InitCommonControlsEx 6218->6238 6220 409b17 6239 4069f4 6220->6239 6223 40194e 14 API calls 6224 409b2e 6223->6224 6244 409a13 6224->6244 6228 409b44 CoUninitialize 6228->6216 6396 40abac 6229->6396 6231 40a854 EnterCriticalSection 6233 40a86d 6231->6233 6232 40a66d __freea HeapFree 6235 40a897 6232->6235 6233->6232 6397 40a8f1 LeaveCriticalSection DeleteCriticalSection 6235->6397 6236 40a8e6 __get_sse2_info 6236->6191 6237->6213 6238->6220 6240 406a0a 6239->6240 6241 406a12 GetCurrentThreadId 6240->6241 6243 406a25 6240->6243 6242 40a687 HeapAlloc 6241->6242 6242->6243 6243->6223 6273 4080bf EnterCriticalSection GetCurrentThreadId 6244->6273 6248 409a61 6281 4092cd 6248->6281 6259 409ad7 6312 409280 EnterCriticalSection GetCurrentThreadId 6259->6312 6260 409acd 6311 401191 DestroyWindow PostQuitMessage 6260->6311 6261 40a2e7 HeapFree 6264 409a87 6261->6264 6266 40ab6a __except_handler4 5 API calls 6264->6266 6265 409a6f 6286 40778f 6265->6286 6267 409a96 6266->6267 6268 409259 6267->6268 6381 408112 EnterCriticalSection 6268->6381 6272 409270 ctype 6317 4076e8 6273->6317 6275 4080f5 LeaveCriticalSection 6276 40145c LeaveCriticalSection 6275->6276 6277 40810a 6276->6277 6278 4082c6 6277->6278 6322 406b20 6278->6322 6280 4082e0 6280->6248 6325 404b61 6281->6325 6357 406a4f 6286->6357 6289 4077ad 6291 40a2e7 6289->6291 6292 40a2f0 6291->6292 6293 409a7f 6291->6293 6294 40a66d __freea HeapFree 6292->6294 6293->6261 6294->6293 6295 405c5b GetDlgItem 6296 40194e 14 API calls 6295->6296 6297 405c77 6296->6297 6367 401483 6297->6367 6300 405c92 #8 6301 401207 2 API calls 6300->6301 6302 405ca7 #6 #9 6301->6302 6304 405cd4 SetTimer 6302->6304 6305 406972 6304->6305 6309 406981 6305->6309 6306 406987 PeekMessageW 6307 4069af GetMessageW 6306->6307 6306->6309 6307->6309 6308 4069eb IsWindow 6308->6259 6308->6260 6309->6306 6309->6307 6309->6308 6310 4069cd TranslateMessage DispatchMessageW 6309->6310 6310->6309 6371 40817c 6312->6371 6315 40145c LeaveCriticalSection 6316 4092c7 6315->6316 6316->6265 6318 40a93c 3 API calls 6317->6318 6319 4076f9 6318->6319 6320 407700 6319->6320 6321 40a93c 3 API calls 6319->6321 6320->6275 6321->6320 6323 40a687 HeapAlloc 6322->6323 6324 406b56 _memset 6323->6324 6324->6280 6326 404b80 6325->6326 6327 404b71 RaiseException 6325->6327 6326->6327 6328 404b8e GetCurrentThreadId EnterCriticalSection 6326->6328 6327->6326 6329 40145c LeaveCriticalSection 6328->6329 6330 404bbb 6329->6330 6331 4081eb 6330->6331 6332 40194e 14 API calls 6331->6332 6333 4081f6 FindResourceW 6332->6333 6334 4082bb 6333->6334 6335 40821b FindResourceW 6333->6335 6334->6265 6334->6295 6336 408241 LoadResource 6335->6336 6337 408238 LoadResource LockResource 6335->6337 6338 408251 LockResource 6336->6338 6339 40829f GetLastError 6336->6339 6337->6336 6338->6339 6341 40825a 6338->6341 6340 4082a9 6339->6340 6340->6334 6342 4082b1 SetLastError 6340->6342 6348 40666c 6341->6348 6342->6334 6345 408281 GetLastError 6346 40828b 6345->6346 6346->6340 6347 40828f GlobalHandle GlobalFree 6346->6347 6347->6340 6350 40667e 6348->6350 6349 4066f6 CreateDialogIndirectParamW 6349->6345 6349->6346 6350->6349 6351 4066fd GlobalAlloc 6350->6351 6352 401082 __VEC_memcpy 6351->6352 6354 406715 6352->6354 6353 401029 RaiseException 6353->6354 6354->6353 6355 401082 __VEC_memcpy 6354->6355 6356 406798 6354->6356 6355->6354 6356->6349 6360 406a5a ctype 6357->6360 6358 4077a0 6358->6289 6361 40a212 6358->6361 6359 40a66d __freea HeapFree 6359->6358 6360->6358 6360->6359 6364 40a137 6361->6364 6363 40a21b 6363->6289 6365 40a155 6364->6365 6366 40a145 GetProcessHeap HeapFree 6364->6366 6365->6363 6366->6363 6368 401495 6367->6368 6370 40148e 6367->6370 6369 4010ed SendMessageW 6368->6369 6369->6370 6370->6300 6370->6304 6372 408188 6371->6372 6373 40818d LeaveCriticalSection 6372->6373 6375 4067cf 6372->6375 6373->6315 6376 40685b 6375->6376 6379 4067df 6375->6379 6376->6373 6377 40a93c 3 API calls 6378 40683d 6377->6378 6380 40a93c 3 API calls 6378->6380 6379->6376 6379->6377 6380->6376 6382 40814b 6381->6382 6383 40813c 6381->6383 6385 408160 LeaveCriticalSection 6382->6385 6386 40a2e7 HeapFree 6382->6386 6383->6382 6384 408141 DestroyWindow 6383->6384 6384->6382 6387 40145c LeaveCriticalSection 6385->6387 6388 408159 ctype 6386->6388 6389 408177 6387->6389 6388->6385 6389->6272 6390 40687a 6389->6390 6391 406883 6390->6391 6393 406889 6390->6393 6392 40a66d __freea HeapFree 6391->6392 6392->6393 6394 40689a 6393->6394 6395 40a66d __freea HeapFree 6393->6395 6394->6272 6395->6394 6396->6231 6397->6236 7023 405cde 7026 404fe4 7023->7026 7025 405d08 7027 404ff1 7026->7027 7028 404ffe 7027->7028 7030 404074 7027->7030 7028->7025 7031 4040a6 EnterCriticalSection 7030->7031 7032 40409a 7030->7032 7033 4040cd 7031->7033 7043 4041c7 7031->7043 7032->7031 7039 40409f 7032->7039 7036 40413e #162 7033->7036 7040 4040f4 GetModuleFileNameW 7033->7040 7034 40ab6a __except_handler4 5 API calls 7035 40422e 7034->7035 7035->7028 7046 40413c 7036->7046 7037 40145c LeaveCriticalSection 7037->7039 7038 402a2e 4 API calls 7041 404211 7038->7041 7039->7034 7042 404112 7040->7042 7040->7043 7041->7037 7042->7043 7044 404120 #161 7042->7044 7043->7038 7043->7041 7045 401125 HeapFree 7044->7045 7045->7046 7046->7043 7047 404058 3 API calls 7046->7047 7047->7043 6510 40965f 6511 409699 6510->6511 6547 401ce1 6511->6547 6513 4096af 6551 40751f 6513->6551 6514 4096ea 6514->6513 6521 4096ff GetModuleFileNameW 6514->6521 6515 4096a1 6515->6513 6515->6514 6558 4078c4 6515->6558 6522 409721 6521->6522 6523 409735 6521->6523 6524 401d2c GetLastError 6522->6524 6525 409739 6523->6525 6526 40974b 6523->6526 6527 409726 6524->6527 6528 401125 HeapFree 6525->6528 6530 409767 GetModuleHandleW 6526->6530 6531 409778 6526->6531 6529 401125 HeapFree 6527->6529 6528->6513 6529->6513 6530->6531 6533 409773 6530->6533 6566 401ca1 lstrlenW 6531->6566 6537 4078c4 9 API calls 6533->6537 6535 40979d 6538 401125 HeapFree 6535->6538 6536 4097af lstrlenW 6536->6533 6539 4097e6 6537->6539 6538->6513 6539->6527 6540 4078c4 9 API calls 6539->6540 6541 409802 6540->6541 6541->6527 6542 40980c 6541->6542 6543 40982d 6542->6543 6569 409591 6542->6569 6578 409613 6543->6578 6546 409837 6546->6546 6587 40abac 6547->6587 6549 401ced InitializeCriticalSection 6550 401d1c __get_sse2_info 6549->6550 6550->6515 6588 40742c EnterCriticalSection 6551->6588 6553 40752e 6554 407542 6553->6554 6555 407537 DeleteCriticalSection 6553->6555 6591 4073af 6554->6591 6555->6554 6559 4078cd 6558->6559 6560 40790b 6558->6560 6559->6560 6561 4078d3 EnterCriticalSection 6559->6561 6560->6515 6562 4078e8 6561->6562 6602 4077e0 6562->6602 6564 4078fa LeaveCriticalSection 6565 401125 HeapFree 6564->6565 6565->6560 6567 40a6a0 __VEC_memcpy 6566->6567 6568 401cc4 6567->6568 6568->6535 6568->6536 6570 40959b 6569->6570 6571 4095cd 6570->6571 6573 4095aa 6570->6573 6572 401125 HeapFree 6571->6572 6574 4095c8 6572->6574 6615 40940c 6573->6615 6574->6543 6577 401125 HeapFree 6577->6574 6579 40961d 6578->6579 6580 40964e 6579->6580 6582 40962c 6579->6582 6581 401125 HeapFree 6580->6581 6584 409649 6581->6584 6583 40940c 66 API calls 6582->6583 6585 40963f 6583->6585 6584->6546 6586 401125 HeapFree 6585->6586 6586->6584 6587->6549 6589 4073af ctype 3 API calls 6588->6589 6590 407444 LeaveCriticalSection 6589->6590 6590->6553 6592 4073e0 6591->6592 6593 4073ba ctype 6591->6593 6594 40687a ctype HeapFree 6592->6594 6593->6592 6597 407244 ctype RaiseException 6593->6597 6598 40721d 6593->6598 6596 4073e7 6594->6596 6597->6593 6599 407232 RaiseException 6598->6599 6600 407225 6598->6600 6600->6599 6601 40722a 6600->6601 6601->6593 6603 4077f4 6602->6603 6604 40788a ctype 6602->6604 6603->6604 6605 4077fd lstrlenW 6603->6605 6604->6564 6606 40a687 HeapAlloc 6605->6606 6607 407828 lstrlenW 6606->6607 6608 40a687 HeapAlloc 6607->6608 6609 407850 6608->6609 6609->6604 6610 401082 __VEC_memcpy 6609->6610 6611 40786a 6610->6611 6612 401082 __VEC_memcpy 6611->6612 6613 407877 6612->6613 6614 4076e8 3 API calls 6613->6614 6614->6604 6616 40944a LoadLibraryExW 6615->6616 6617 409477 FindResourceW 6616->6617 6618 40946b 6616->6618 6620 409494 LoadResource 6617->6620 6621 40948a 6617->6621 6619 401d2c GetLastError 6618->6619 6623 409470 6619->6623 6620->6621 6622 4094a3 SizeofResource 6620->6622 6624 401d2c GetLastError 6621->6624 6626 4094b4 6622->6626 6627 4094ed 6622->6627 6632 40729f HeapFree 6623->6632 6635 4094c4 6623->6635 6625 40948f FreeLibrary 6624->6625 6625->6623 6626->6635 6641 40729f 6626->6641 6644 40773b 6627->6644 6631 401125 HeapFree 6634 4094d1 6631->6634 6632->6635 6636 40ab6a __except_handler4 5 API calls 6634->6636 6635->6631 6638 4094e3 6636->6638 6637 40950a MultiByteToWideChar 6637->6621 6639 409520 6637->6639 6638->6577 6649 409138 6639->6649 6642 40a66d __freea HeapFree 6641->6642 6643 4072a6 6642->6643 6643->6635 6664 4072c9 6644->6664 6650 40914a 6649->6650 6678 40759b 6650->6678 6652 409211 6653 40ab6a __except_handler4 5 API calls 6652->6653 6654 409221 6653->6654 6654->6625 6655 409250 6656 409206 CoTaskMemFree 6655->6656 6656->6652 6658 407054 7 API calls 6659 409173 6658->6659 6659->6652 6659->6655 6659->6656 6659->6658 6660 407bbf 43 API calls 6659->6660 6661 4091f1 6659->6661 6697 406fb9 6659->6697 6736 407032 6659->6736 6660->6659 6702 407bbf 6661->6702 6665 4072dc 6664->6665 6666 4072e9 6665->6666 6667 401029 RaiseException 6665->6667 6668 4074b7 6666->6668 6667->6666 6669 4074c4 6668->6669 6670 4074cd 6668->6670 6672 4072a8 6669->6672 6670->6625 6670->6637 6677 40a609 HeapAlloc 6672->6677 6674 4072b4 6675 4072c3 6674->6675 6676 401029 RaiseException 6674->6676 6675->6670 6676->6675 6677->6674 6679 4075c1 6678->6679 6680 4076d2 6678->6680 6679->6680 6681 4075c9 lstrlenW 6679->6681 6683 40ab6a __except_handler4 5 API calls 6680->6683 6740 406e3a 6681->6740 6685 4076e4 6683->6685 6685->6659 6686 4075e5 CoTaskMemFree 6686->6680 6687 40769c CoTaskMemFree 6687->6680 6689 407612 CharNextW 6696 4075f6 6689->6696 6692 40768c CharNextW 6692->6687 6692->6696 6695 407671 CharNextW 6695->6695 6695->6696 6696->6687 6696->6689 6696->6692 6696->6695 6744 406fe4 6696->6744 6749 407570 EnterCriticalSection 6696->6749 6752 4073ec 6696->6752 6759 406e6c 6696->6759 6698 406fbc lstrcmpiW 6697->6698 6699 406fd1 6698->6699 6700 406fdb 6698->6700 6699->6698 6701 406fd7 6699->6701 6700->6659 6701->6659 6735 407c29 6702->6735 6703 407f32 6705 406cd1 RegCloseKey 6703->6705 6704 407c01 lstrcmpiW lstrcmpiW 6704->6735 6726 40804d 6705->6726 6706 407cc2 lstrcmpiW 6708 407ce8 lstrcmpiW 6706->6708 6706->6735 6707 40ab6a __except_handler4 5 API calls 6709 40808c 6707->6709 6708->6735 6709->6656 6710 407054 7 API calls 6710->6735 6711 406fe4 CharNextW 6711->6735 6712 408025 6714 406cd1 RegCloseKey 6712->6714 6713 406d36 RegCloseKey RegOpenKeyExW 6713->6735 6714->6703 6715 4072ee 9 API calls 6715->6735 6716 407928 27 API calls 6716->6735 6719 4071b8 12 API calls 6719->6735 6720 407d8d RegDeleteValueW 6720->6735 6721 406cd1 RegCloseKey 6721->6703 6722 407fe4 lstrlenW 6722->6735 6723 408045 6724 406cd1 RegCloseKey 6723->6724 6724->6726 6725 407bbf 35 API calls 6725->6735 6726->6707 6727 407ece lstrlenW 6727->6735 6728 407183 RegQueryInfoKeyW 6728->6735 6729 406cd1 RegCloseKey 6729->6735 6730 407157 lstrcmpiW 6730->6735 6731 408056 6732 406cd1 RegCloseKey 6731->6732 6732->6726 6733 407fb2 RegDeleteKeyW 6734 408034 6733->6734 6733->6735 6734->6721 6735->6703 6735->6704 6735->6706 6735->6708 6735->6710 6735->6711 6735->6712 6735->6713 6735->6715 6735->6716 6735->6719 6735->6720 6735->6722 6735->6723 6735->6725 6735->6727 6735->6728 6735->6729 6735->6730 6735->6731 6735->6733 6735->6734 6783 406cd1 6735->6783 6786 406ce8 RegCreateKeyExW 6735->6786 6737 407043 6736->6737 6738 407052 6737->6738 6739 407037 CharNextW 6737->6739 6738->6659 6739->6737 6741 406e46 6740->6741 6765 406b8f 6741->6765 6743 406e59 6743->6686 6743->6696 6745 406ff1 6744->6745 6746 406fef 6744->6746 6747 407007 6745->6747 6748 406ff8 CharNextW 6745->6748 6746->6696 6747->6696 6748->6745 6769 40746b 6749->6769 6753 4073fd lstrlenW 6752->6753 6758 4073f9 6752->6758 6755 406e6c 2 API calls 6753->6755 6756 40741b 6755->6756 6757 401125 HeapFree 6756->6757 6757->6758 6758->6696 6760 406e7e 6759->6760 6764 406edc 6759->6764 6763 406ea6 6760->6763 6760->6764 6779 406bbc 6760->6779 6762 401082 __VEC_memcpy 6762->6764 6763->6762 6763->6764 6764->6696 6766 406ba6 6765->6766 6767 406bb1 CoTaskMemAlloc 6766->6767 6768 406bad 6766->6768 6767->6743 6768->6743 6774 40726c 6769->6774 6772 40747c LeaveCriticalSection 6772->6696 6773 407244 ctype RaiseException 6773->6772 6775 407293 6774->6775 6776 407277 6774->6776 6775->6772 6775->6773 6776->6775 6778 406e09 lstrcmpiW 6776->6778 6778->6776 6780 406bd3 6779->6780 6781 406bda 6780->6781 6782 406bde CoTaskMemRealloc 6780->6782 6781->6763 6782->6763 6784 406ce6 6783->6784 6785 406cdc RegCloseKey 6783->6785 6784->6706 6785->6784 6787 406d1c 6786->6787 6788 406d2c 6787->6788 6789 406cd1 RegCloseKey 6787->6789 6788->6735 6789->6788 6790 403060 OleLockRunning 6791 40308b 6790->6791 7181 404961 7183 40496d 7181->7183 7182 402933 RaiseException 7182->7183 7183->7182 7184 404978 7183->7184 7185 40d762 7190 40a3fb 7185->7190 7187 40d76c 7198 40a966 7187->7198 7189 40d776 7191 40a418 _memset 7190->7191 7192 40a43d GetVersionExA 7191->7192 7193 40a457 7192->7193 7194 401ce1 InitializeCriticalSection 7193->7194 7195 40a48d 7194->7195 7196 40ab6a __except_handler4 5 API calls 7195->7196 7197 40a4a5 7196->7197 7197->7187 7212 40abac 7198->7212 7200 40a972 EnterCriticalSection 7201 40a995 7200->7201 7202 40a98c 7200->7202 7207 40a9a0 LeaveCriticalSection 7201->7207 7213 40a65a HeapSize 7201->7213 7204 40a61c HeapAlloc 7202->7204 7204->7201 7205 40a9be 7206 40a9e4 LeaveCriticalSection 7205->7206 7208 40a93c 3 API calls 7205->7208 7210 40aa1e __get_sse2_info 7206->7210 7207->7210 7211 40a9dd 7208->7211 7210->7189 7211->7206 7211->7207 7212->7200 7213->7205 5656 408765 5657 408776 5656->5657 5658 40879f 5656->5658 5665 409d65 FindResourceW 5657->5665 5692 409d44 5657->5692 5695 4084de 5658->5695 5660 4087ae 5661 408782 5661->5658 5662 408788 DestroyWindow SetLastError 5661->5662 5662->5660 5666 409db2 FindResourceW 5665->5666 5667 409d9b LoadResource 5665->5667 5669 409dc5 LoadResource 5666->5669 5673 40a030 5666->5673 5667->5666 5668 409da8 LockResource 5667->5668 5668->5666 5670 409dd6 LockResource 5669->5670 5671 40a058 5669->5671 5670->5671 5674 409de7 5670->5674 5672 401d2c GetLastError 5671->5672 5672->5673 5673->5661 5675 409e07 GetWindow 5674->5675 5675->5673 5676 409e29 5675->5676 5676->5673 5677 40a004 GetWindow 5676->5677 5678 409e69 GlobalAlloc 5676->5678 5683 409fe5 #6 5676->5683 5685 409f27 MapDialogRect 5676->5685 5688 409f9a SetWindowContextHelpId 5676->5688 5689 409d44 90 API calls 5676->5689 5690 40a040 #6 5676->5690 5691 409fc8 SetWindowPos 5676->5691 5701 401235 5676->5701 5712 40194e EnterCriticalSection RegisterWindowMessageW RegisterWindowMessageW GetClassInfoExW 5676->5712 5724 40868e 5676->5724 5730 401d2c GetLastError 5676->5730 5677->5676 5678->5673 5679 409e7c GlobalLock 5678->5679 5727 401082 5679->5727 5682 409e8e GlobalUnlock CreateStreamOnHGlobal 5682->5676 5683->5676 5685->5676 5688->5676 5689->5676 5690->5673 5691->5683 5777 409c9e 5692->5777 5696 408501 5695->5696 5966 409bd5 5696->5966 5698 408560 SetWindowLongW 5699 408558 5698->5699 5699->5660 5704 40126e 5701->5704 5710 401267 5701->5710 5702 40ab6a __except_handler4 5 API calls 5703 401393 5702->5703 5703->5676 5704->5710 5732 4011d7 5704->5732 5706 4012c8 #7 5707 4012d6 #6 5706->5707 5709 4012e9 _memset 5706->5709 5707->5710 5709->5707 5711 401315 #6 5709->5711 5710->5702 5711->5710 5713 401a12 _memset 5712->5713 5714 4019aa LoadCursorW RegisterClassExW 5712->5714 5717 401a1d GetClassInfoExW 5713->5717 5715 401a04 5714->5715 5723 401aa4 5714->5723 5745 4017b2 5715->5745 5718 401a40 LoadCursorW RegisterClassExW 5717->5718 5717->5723 5721 401a96 5718->5721 5718->5723 5719 40145c LeaveCriticalSection 5720 401ab8 5719->5720 5720->5676 5722 4017b2 4 API calls 5721->5722 5722->5723 5723->5719 5766 408457 5724->5766 5726 4086b0 5726->5676 5769 40a6a0 5727->5769 5729 401097 5729->5682 5731 401d36 5730->5731 5731->5676 5733 4011e1 5732->5733 5734 4011ea #4 5732->5734 5733->5706 5734->5733 5735 4011fc 5734->5735 5743 401029 RaiseException 5735->5743 5737 401206 5738 401211 5737->5738 5739 40121a #2 5737->5739 5738->5706 5739->5738 5740 40122a 5739->5740 5741 401029 RaiseException 5740->5741 5742 401234 5741->5742 5744 40104d 5743->5744 5744->5737 5746 4017c5 5745->5746 5748 4017fd 5745->5748 5747 4017dc 5746->5747 5749 401029 RaiseException 5746->5749 5747->5748 5751 40a93c 5747->5751 5748->5713 5749->5747 5752 40a944 5751->5752 5753 40a951 5752->5753 5756 40a900 5752->5756 5753->5748 5755 40a963 5755->5748 5757 40a915 5756->5757 5758 40a90a 5756->5758 5760 40a927 HeapReAlloc 5757->5760 5761 40a91a 5757->5761 5765 40a609 HeapAlloc 5758->5765 5760->5755 5763 40a66d __freea HeapFree 5761->5763 5762 40a912 5762->5755 5764 40a922 5763->5764 5764->5755 5765->5762 5767 408465 5766->5767 5768 40846a CreateWindowExW 5766->5768 5767->5768 5768->5726 5770 40a6b1 5769->5770 5771 40a6ab _memset 5769->5771 5770->5729 5771->5770 5773 40c5f0 5771->5773 5774 40c608 5773->5774 5775 40c637 5774->5775 5776 40c62f __VEC_memcpy 5774->5776 5775->5770 5776->5775 5785 4088c8 5777->5785 5780 409cc5 5829 406144 5780->5829 5781 409cdc 5790 4054a5 5781->5790 5783 409cd8 5783->5661 5786 4088d3 5785->5786 5787 4088da 5785->5787 5786->5780 5786->5781 5838 4084a6 5787->5838 5791 4054b3 5790->5791 5792 4054bd 5790->5792 5791->5783 5841 403691 5792->5841 5795 405504 IsWindow 5795->5791 5797 405515 5795->5797 5796 4054ec RedrawWindow 5871 40319c 5796->5871 5799 405525 5797->5799 5876 40317c 5797->5876 5801 40554f 5799->5801 5879 401f0e GetParent GetClassNameW 5799->5879 5845 40348a 5801->5845 5808 403691 ctype DestroyAcceleratorTable 5809 40575d 5808->5809 5809->5791 5811 405766 RedrawWindow 5809->5811 5810 40557d 5812 4055c5 GetWindowLongW 5810->5812 5827 40573b 5810->5827 5811->5791 5813 405779 5811->5813 5814 4055e7 GetWindowLongW SetWindowLongW SetWindowPos 5812->5814 5819 4055db 5812->5819 5813->5791 5815 40577f 5813->5815 5814->5819 5816 40319c 3 API calls 5815->5816 5816->5791 5817 40579a 5818 4057b3 #8 5817->5818 5817->5827 5884 4029ef #9 #2 5818->5884 5819->5817 5822 4056a1 lstrlenW GlobalAlloc 5819->5822 5823 4056bf GlobalLock 5822->5823 5828 4056f4 5822->5828 5824 401082 __VEC_memcpy 5823->5824 5825 4056d6 GlobalUnlock CreateStreamOnHGlobal 5824->5825 5825->5828 5827->5791 5827->5808 5828->5827 5830 40194e 14 API calls 5829->5830 5831 406151 5830->5831 5946 40604d 5831->5946 5834 4061be 5834->5783 5839 4084b6 SendMessageW 5838->5839 5840 4084af 5838->5840 5839->5840 5840->5786 5842 4037c7 5841->5842 5843 4036a6 ctype 5841->5843 5842->5795 5842->5796 5843->5842 5844 4037be DestroyAcceleratorTable 5843->5844 5844->5842 5846 4034b4 5845->5846 5861 4034aa 5845->5861 5852 403538 CoCreateInstance 5846->5852 5846->5861 5888 401dc4 5846->5888 5847 40ab6a __except_handler4 5 API calls 5848 40361c 5847->5848 5848->5810 5862 4044a7 5848->5862 5851 403571 lstrlenW 5854 403583 5851->5854 5851->5861 5852->5861 5855 403596 CLSIDFromProgID 5854->5855 5856 40358e CLSIDFromString 5854->5856 5857 40359c 5855->5857 5856->5857 5858 4035a5 #7 5857->5858 5857->5861 5859 4035b2 CoGetClassObject 5858->5859 5860 4035f6 CoCreateInstance 5858->5860 5859->5861 5860->5861 5861->5847 5863 4044b8 5862->5863 5864 4044bf 5862->5864 5863->5810 5864->5863 5865 4046c9 GetClientRect 5864->5865 5894 40253c 5865->5894 5867 404708 5900 4024bf 5867->5900 5869 40473d 5870 404782 RedrawWindow 5869->5870 5870->5863 5872 4031b8 DestroyWindow 5871->5872 5873 4031a8 5871->5873 5875 4031af 5872->5875 5906 4027bf GetWindowLongW 5873->5906 5875->5795 5910 402781 5876->5910 5880 401f39 lstrcmpW 5879->5880 5881 401f4d 5879->5881 5880->5881 5882 40ab6a __except_handler4 5 API calls 5881->5882 5883 401f57 GetSysColor 5882->5883 5883->5801 5885 402a28 #9 #9 5884->5885 5886 402a0f 5884->5886 5885->5827 5886->5885 5887 401029 RaiseException 5886->5887 5887->5885 5889 401dfd 5888->5889 5891 401dce 5888->5891 5889->5851 5889->5852 5890 401df4 CharNextW 5890->5889 5890->5891 5891->5889 5891->5890 5892 401e02 CharNextW 5891->5892 5893 401ded CharNextW 5891->5893 5892->5889 5893->5891 5895 402545 5894->5895 5898 40254f 5894->5898 5896 401029 RaiseException 5895->5896 5896->5898 5897 402562 6 API calls 5897->5867 5898->5897 5899 401029 RaiseException 5898->5899 5899->5897 5901 4024d2 5900->5901 5902 4024c8 5900->5902 5904 4024e5 6 API calls 5901->5904 5905 401029 RaiseException 5901->5905 5903 401029 RaiseException 5902->5903 5903->5901 5904->5869 5905->5904 5907 4027e0 SetWindowLongW 5906->5907 5908 4027dc 5906->5908 5909 4027f4 5907->5909 5908->5907 5908->5909 5909->5875 5911 40278a 5910->5911 5916 401e3a 5911->5916 5914 40279a 5914->5799 5915 40279e SetWindowLongW 5915->5914 5917 401e42 5916->5917 5918 401e47 5916->5918 5922 40a2bf 5917->5922 5921 401e5c 5918->5921 5936 401e07 GetCurrentProcess FlushInstructionCache 5918->5936 5921->5914 5921->5915 5923 40a21f 5922->5923 5924 40a232 5923->5924 5925 40a229 5923->5925 5927 40a253 5924->5927 5928 40a23c GetProcessHeap HeapAlloc 5924->5928 5937 40a15d IsProcessorFeaturePresent 5925->5937 5932 40a2a0 5927->5932 5933 40a25e VirtualAlloc 5927->5933 5930 40a251 5928->5930 5931 40a275 5928->5931 5929 40a22e 5929->5924 5929->5931 5930->5918 5931->5918 5932->5918 5933->5931 5934 40a279 5933->5934 5934->5932 5935 40a28e VirtualFree 5934->5935 5935->5932 5936->5921 5938 40a172 LoadLibraryA 5937->5938 5939 40a16a 5937->5939 5940 40a188 GetProcAddress GetProcAddress 5938->5940 5941 40a1a8 5938->5941 5939->5929 5940->5941 5942 40a1ca GetProcessHeap HeapAlloc 5941->5942 5945 40a1ff 5941->5945 5943 40a1e2 InterlockedCompareExchange 5942->5943 5942->5945 5944 40a1f4 GetProcessHeap HeapFree 5943->5944 5943->5945 5944->5945 5945->5929 5947 406060 5946->5947 5948 406059 5946->5948 5949 40a687 HeapAlloc 5947->5949 5948->5834 5952 401207 5948->5952 5950 406072 5949->5950 5950->5948 5958 405e80 5950->5958 5953 401211 #6 5952->5953 5954 40121a #2 5952->5954 5953->5834 5954->5953 5955 40122a 5954->5955 5956 401029 RaiseException 5955->5956 5957 401234 5956->5957 5959 405e95 5958->5959 5962 401c13 5959->5962 5965 401b4a GetSysColor 5962->5965 5964 401c1b 5964->5948 5965->5964 5967 408520 5966->5967 5968 409bec 5966->5968 5967->5698 5967->5699 5981 409b6c 5968->5981 5971 409c16 5988 405b93 GetCurrentThreadId 5971->5988 5972 409c3b 5974 409c43 5972->5974 5975 409c59 5972->5975 5997 405bf6 GetCurrentThreadId 5974->5997 5975->5967 5977 409c80 5975->5977 5978 409c67 5975->5978 5977->5967 5980 401473 2 API calls 5977->5980 6001 401473 5978->6001 5980->5967 5982 409b96 5981->5982 5983 409b75 5981->5983 5982->5967 5982->5971 5982->5972 5984 409ba6 5983->5984 5985 409b7f 5983->5985 5984->5982 6009 409040 5984->6009 6004 4093e7 5985->6004 6075 401b05 EnterCriticalSection 5988->6075 5992 405bc8 5993 401845 4 API calls 5992->5993 5994 405be2 5993->5994 6086 401ac0 5994->6086 5998 401b05 4 API calls 5997->5998 5999 405c0f 5998->5999 6000 405c45 KillTimer 5999->6000 6000->5967 6104 401191 DestroyWindow PostQuitMessage 6001->6104 6016 408ec0 FindResourceW 6004->6016 6007 409040 9 API calls 6008 4093fc 6007->6008 6008->5982 6013 40904b 6009->6013 6010 409128 6010->5982 6011 40907b GetDlgItem 6011->6010 6011->6013 6013->6010 6013->6011 6060 4010ed 6013->6060 6063 408b40 6013->6063 6071 408915 6013->6071 6017 408f05 LoadResource 6016->6017 6018 409026 6016->6018 6017->6018 6019 408f15 LockResource 6017->6019 6020 40ab6a __except_handler4 5 API calls 6018->6020 6019->6018 6025 408f26 6019->6025 6021 409039 6020->6021 6021->6007 6023 4088a8 10 API calls 6023->6025 6025->6018 6025->6023 6026 408fea SendDlgItemMessageW 6025->6026 6027 40a66d HeapFree __freea 6025->6027 6028 4088a8 6025->6028 6026->6025 6027->6025 6029 4088b6 6028->6029 6032 4086b4 6029->6032 6033 4086c4 SendDlgItemMessageW 6032->6033 6034 4086cb lstrlenA 6032->6034 6033->6025 6043 4085a5 6034->6043 6037 40870a GetLastError 6038 408715 MultiByteToWideChar 6037->6038 6040 408755 6037->6040 6039 4085a5 4 API calls 6038->6039 6041 40873a MultiByteToWideChar 6039->6041 6040->6033 6050 4083e3 GetLastError 6040->6050 6041->6040 6049 4085b1 6043->6049 6044 401029 RaiseException 6044->6049 6046 40a93c 3 API calls 6046->6049 6047 40a66d __freea HeapFree 6047->6049 6048 4085fb MultiByteToWideChar 6048->6033 6048->6037 6049->6044 6049->6046 6049->6047 6049->6048 6054 40a61c 6049->6054 6051 4083ed 6050->6051 6052 401029 RaiseException 6051->6052 6053 4083fd 6052->6053 6055 40a625 6054->6055 6056 40a632 6055->6056 6059 40a609 HeapAlloc 6055->6059 6056->6049 6058 40a642 _memset 6058->6049 6059->6058 6061 4010f6 6060->6061 6062 4010fd SendMessageW 6060->6062 6061->6013 6062->6061 6066 408b75 6063->6066 6070 408c71 6063->6070 6064 40ab6a __except_handler4 5 API calls 6065 408dfc 6064->6065 6065->6013 6067 401082 __VEC_memcpy 6066->6067 6066->6070 6068 408c31 6067->6068 6069 401082 __VEC_memcpy 6068->6069 6068->6070 6069->6070 6070->6064 6072 408920 6071->6072 6073 40892a 6071->6073 6074 401029 RaiseException 6072->6074 6073->6013 6074->6073 6090 401ae2 6075->6090 6078 40145c LeaveCriticalSection 6079 401b42 6078->6079 6080 401845 6079->6080 6081 401858 6080->6081 6083 401890 6080->6083 6082 40186f 6081->6082 6084 401029 RaiseException 6081->6084 6082->6083 6085 40a93c 3 API calls 6082->6085 6083->5992 6084->6082 6085->6083 6087 401acc 6086->6087 6088 401ade 6086->6088 6098 4018b7 6087->6098 6088->5967 6091 401aee 6090->6091 6092 401af3 LeaveCriticalSection 6091->6092 6094 407244 6091->6094 6092->6078 6095 40725a RaiseException 6094->6095 6096 40724c 6094->6096 6096->6095 6097 407251 6096->6097 6097->6092 6099 4018ca 6098->6099 6100 401902 6098->6100 6101 4018e1 6099->6101 6102 401029 RaiseException 6099->6102 6100->6088 6101->6100 6103 40a93c 3 API calls 6101->6103 6102->6101 6103->6100 7214 402b65 7215 402b8d 7214->7215 7216 402b6e 7214->7216 7216->7215 7218 40139b 7216->7218 7219 4013cc #6 7218->7219 7220 4013a8 ctype 7218->7220 7219->7220 7220->7215 7296 40cfe8 7297 40cffa 7296->7297 7298 40d008 @_EH4_CallFilterFunc@8 7296->7298 7299 40ab6a __except_handler4 5 API calls 7297->7299 7299->7298 6792 40a06a GetThreadLocale GetLocaleInfoA 6793 40a0b8 GetACP 6792->6793 6795 40a099 6792->6795 6794 40a0c0 6793->6794 6796 40ab6a __except_handler4 5 API calls 6794->6796 6795->6793 6795->6794 6797 40a0cd 6796->6797 7300 40d1eb 7307 40aaf0 7300->7307 7302 40d27c IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 7303 40d2b3 __invoke_watson 7302->7303 7304 40d2bf GetCurrentProcess TerminateProcess 7302->7304 7303->7304 7305 40ab6a __except_handler4 5 API calls 7304->7305 7306 40d2df 7305->7306 7308 40aafc __VEC_memzero 7307->7308 7308->7302 6798 404c6c 6801 404c3d 6798->6801 6804 404dd5 6801->6804 6805 404ddf 6804->6805 6806 404df0 DestroyWindow 6805->6806 6807 404c59 6805->6807 6806->6807 6808 404e70 6811 404df9 6808->6811 6812 404dd5 ctype DestroyWindow 6811->6812 6813 404e15 6812->6813 7048 406af1 7049 406b18 7048->7049 7051 406afc 7048->7051 7051->7049 7052 406a96 7051->7052 7053 406aab RaiseException 7052->7053 7054 406a9e 7052->7054 7055 406ac5 7053->7055 7054->7053 7056 406aa3 7054->7056 7055->7051 7056->7051 7309 4053f3 7310 403691 ctype DestroyAcceleratorTable 7309->7310 7311 40540e 7310->7311 7312 40543a IsWindow 7311->7312 7315 40542b RedrawWindow 7311->7315 7313 405448 7312->7313 7314 405499 7312->7314 7316 405459 7313->7316 7318 40317c 16 API calls 7313->7318 7317 40319c 3 API calls 7315->7317 7319 4044a7 15 API calls 7316->7319 7317->7312 7318->7316 7320 40546d 7319->7320 7320->7314 7321 403691 ctype DestroyAcceleratorTable 7320->7321 7322 40547c 7321->7322 7322->7314 7323 405483 RedrawWindow 7322->7323 7323->7314 7324 405492 7323->7324 7325 40319c 3 API calls 7324->7325 7325->7314 5596 404074 5597 4040a6 EnterCriticalSection 5596->5597 5598 40409a 5596->5598 5599 4040cd 5597->5599 5609 4041c7 5597->5609 5598->5597 5605 40409f 5598->5605 5602 40413e #162 5599->5602 5606 4040f4 GetModuleFileNameW 5599->5606 5601 40422e 5612 40413c 5602->5612 5632 40ab6a 5605->5632 5608 404112 5606->5608 5606->5609 5607 404211 5629 40145c 5607->5629 5608->5609 5610 404120 #161 5608->5610 5609->5607 5621 402a2e 5609->5621 5614 401125 5610->5614 5612->5609 5618 404058 5612->5618 5617 40112a 5614->5617 5615 40113c 5615->5612 5617->5615 5640 40a66d 5617->5640 5643 403427 5618->5643 5622 402a46 5621->5622 5623 40a687 HeapAlloc 5622->5623 5624 402ab5 5622->5624 5625 402a86 5622->5625 5623->5625 5624->5607 5625->5624 5628 402b33 #6 5625->5628 5652 401da8 5625->5652 5628->5625 5630 401471 5629->5630 5631 401465 LeaveCriticalSection 5629->5631 5630->5605 5631->5630 5633 40ab72 5632->5633 5634 40ab74 IsDebuggerPresent 5632->5634 5633->5601 5655 40d5cc 5634->5655 5637 40cf1e SetUnhandledExceptionFilter UnhandledExceptionFilter 5638 40cf43 GetCurrentProcess TerminateProcess 5637->5638 5639 40cf3b __invoke_watson 5637->5639 5638->5601 5639->5638 5641 40a674 HeapFree 5640->5641 5642 40a686 5640->5642 5641->5642 5642->5617 5644 403434 5643->5644 5645 40343b 5643->5645 5644->5609 5650 40a687 5645->5650 5647 403444 5647->5644 5648 403452 EnterCriticalSection 5647->5648 5649 40145c LeaveCriticalSection 5648->5649 5649->5644 5651 40a609 HeapAlloc 5650->5651 5651->5647 5653 401db6 #6 5652->5653 5654 401dbf #7 5652->5654 5653->5654 5654->5625 5655->5637 7057 4022f5 7058 40230d 7057->7058 7059 402303 7057->7059 7058->7059 7060 402317 GetDC 7058->7060 7060->7059 7061 402330 7060->7061 7061->7059 7062 40233e GetClientRect 7061->7062 7063 402351 CreateCompatibleDC 7062->7063 7066 4023a9 7062->7066 7065 402360 CreateCompatibleBitmap 7063->7065 7063->7066 7064 4023b0 FillRect 7064->7059 7067 402392 DeleteDC 7065->7067 7068 40237d SelectObject 7065->7068 7066->7059 7066->7064 7067->7066 7069 402389 DeleteObject 7068->7069 7070 40239b DeleteObject 7068->7070 7069->7067 7070->7066 7071 4060f6 7072 406110 7071->7072 7073 406109 7071->7073 7072->7073 7075 405fee 7072->7075 7076 405fff 7075->7076 7077 405f6f 13 API calls 7076->7077 7078 406013 7077->7078 7079 404d11 21 API calls 7078->7079 7080 406047 7079->7080 7080->7073 7221 40d778 7226 40a3d5 7221->7226 7224 40a966 7 API calls 7225 40d78c 7224->7225 7227 40a3dd 7226->7227 7230 40a2c4 7227->7230 7231 40a2d3 7230->7231 7232 40a2cc 7230->7232 7231->7232 7233 401ce1 InitializeCriticalSection 7231->7233 7232->7224 7233->7232 7081 4074fd 7084 4068e7 7081->7084 7083 40750b ctype 7085 4068f3 7084->7085 7086 40691d 7084->7086 7087 4068ff DeleteCriticalSection 7085->7087 7090 4064f3 7085->7090 7086->7083 7087->7086 7091 4064fc RaiseException 7090->7091 7092 40650b ctype 7090->7092 7091->7092 7092->7087 7093 4092ff 7096 404f03 7093->7096 7097 404f0f 7096->7097 7098 404f16 7096->7098 7098->7097 7099 404074 16 API calls 7098->7099 7099->7097 6814 408e00 6815 40778f ctype 3 API calls 6814->6815 6816 408e08 ctype 6815->6816 7100 406480 KillTimer PostQuitMessage 7234 403b00 7235 403b19 7234->7235 7238 403b0f 7234->7238 7236 403b41 #7 7235->7236 7235->7238 7237 403b51 #149 CoTaskMemAlloc 7236->7237 7236->7238 7237->7238 7239 403b77 7237->7239 7240 401ca1 2 API calls 7239->7240 7240->7238 5595 401181 IsDialogMessageW 6817 401003 PostQuitMessage 6818 40aa03 6819 40aa15 LeaveCriticalSection 6818->6819 6820 40aa1e __get_sse2_info 6819->6820 6821 403010 GetDC 6822 403027 6821->6822 6824 40302e ReleaseDC 6821->6824 6824->6822 6825 40ac10 6826 40ac48 6825->6826 6827 40ac3b 6825->6827 6829 40ab6a __except_handler4 5 API calls 6826->6829 6828 40ab6a __except_handler4 5 API calls 6827->6828 6828->6826 6833 40ac58 __except_handler4 6829->6833 6830 40acdf 6831 40acb4 __except_handler4 6831->6830 6832 40accf 6831->6832 6834 40ab6a __except_handler4 5 API calls 6831->6834 6835 40ab6a __except_handler4 5 API calls 6832->6835 6833->6830 6833->6831 6838 40acf5 __except_handler4 6833->6838 6834->6832 6835->6830 6837 40ad34 __except_handler4 6839 40ad6b 6837->6839 6840 40ab6a __except_handler4 5 API calls 6837->6840 6843 40d07a RtlUnwind 6838->6843 6841 40ab6a __except_handler4 5 API calls 6839->6841 6840->6839 6842 40ad7b __except_handler4 6841->6842 6844 40d08f 6843->6844 6844->6837 7339 401590 7340 4015a9 7339->7340 7341 40161a OleInitialize GetWindowTextLengthW 7339->7341 7342 4015b0 7340->7342 7343 4015fa GetWindowLongW 7340->7343 7344 40164c 7341->7344 7351 401639 __alloca_probe_16 7341->7351 7346 40178c DefWindowProcW 7342->7346 7350 4015c6 GetWindowLongW 7342->7350 7347 401609 7343->7347 7348 40160f OleUninitialize 7343->7348 7375 40a609 HeapAlloc 7344->7375 7349 40166d 7346->7349 7347->7348 7348->7346 7352 40ab6a __except_handler4 5 API calls 7349->7352 7350->7346 7353 4015e0 GetWindowLongW SetWindowLongW 7350->7353 7355 401676 GetWindowTextW SetWindowTextW 7351->7355 7356 401667 7351->7356 7354 4017ae 7352->7354 7353->7346 7357 4016a7 GlobalAlloc 7355->7357 7358 40169e 7355->7358 7361 40100e __freea HeapFree 7356->7361 7359 4016b9 7357->7359 7360 4016eb 7357->7360 7358->7357 7359->7360 7362 4016bd GlobalLock 7359->7362 7365 406144 18 API calls 7360->7365 7361->7349 7363 401082 __VEC_memcpy 7362->7363 7364 4016d4 GlobalUnlock CreateStreamOnHGlobal 7363->7364 7364->7360 7366 401712 7365->7366 7367 401719 7366->7367 7369 401755 SetWindowLongW 7366->7369 7368 401125 HeapFree 7367->7368 7368->7356 7370 40176a 7369->7370 7371 401125 HeapFree 7370->7371 7372 401778 7371->7372 7373 40100e __freea HeapFree 7372->7373 7374 40178b 7373->7374 7374->7346 7375->7351 7101 40a691 DebugBreak 7241 409314 7242 404f41 17 API calls 7241->7242 7243 409330 7242->7243 7244 402916 7245 403f49 7244->7245 7248 4014d0 #6 7245->7248 7247 403f51 ctype 7249 4014e9 7248->7249 7250 40158e 7249->7250 7251 40a212 ctype 2 API calls 7249->7251 7250->7247 7251->7250 6845 405817 6846 405829 6845->6846 6850 405822 6845->6850 6847 40a687 HeapAlloc 6846->6847 6848 405834 6847->6848 6848->6850 6851 403f8f 6848->6851 6852 403fa1 6851->6852 6856 403fcd ctype 6851->6856 6853 40a687 HeapAlloc 6852->6853 6855 403fc2 6853->6855 6855->6856 6857 402933 6855->6857 6856->6850 6858 40293b 6857->6858 6859 40294d 6858->6859 6860 401029 RaiseException 6858->6860 6859->6855 6860->6859 6159 402699 6160 4026bb 6159->6160 6171 403872 6160->6171 6162 4026eb 6177 4025ce CallWindowProcW 6162->6177 6163 4026fe GetWindowLongW 6178 4025ce CallWindowProcW 6163->6178 6166 40271d 6167 4026f9 6166->6167 6168 40272b GetWindowLongW 6166->6168 6168->6167 6169 402738 SetWindowLongW 6168->6169 6169->6167 6172 40387a 6171->6172 6179 4025ce CallWindowProcW 6172->6179 6174 403893 6175 403691 ctype DestroyAcceleratorTable 6174->6175 6176 4026dd 6175->6176 6176->6162 6176->6163 6176->6167 6177->6167 6178->6166 6179->6174 6861 402219 6862 40222e 6861->6862 6869 402227 6861->6869 6870 401ec2 ClientToScreen 6862->6870 6865 402263 6876 401e98 MoveWindow 6865->6876 6866 402254 6873 401ee8 ScreenToClient 6866->6873 6871 401ee2 GetParent 6870->6871 6872 401eda ClientToScreen 6870->6872 6871->6865 6871->6866 6872->6871 6874 401f00 ScreenToClient 6873->6874 6875 401f08 6873->6875 6874->6875 6875->6865 6876->6869 7376 405999 7377 4059fc 7376->7377 7378 4059b5 7376->7378 7382 404ea1 7378->7382 7380 4059c0 7380->7377 7381 403f8f 2 API calls 7380->7381 7381->7377 7383 404eb1 7382->7383 7387 404eaa 7382->7387 7384 40a687 HeapAlloc 7383->7384 7385 404ec2 7384->7385 7386 40291e InitializeCriticalSection 7385->7386 7385->7387 7386->7387 7387->7380 7102 40229b 7103 4022a2 SetCapture 7102->7103 7104 4022b7 ReleaseCapture 7102->7104 7105 4022c5 7103->7105 7104->7105 6398 408e1c 6399 408e42 6398->6399 6403 408e71 6399->6403 6404 4087ba 6399->6404 6400 40ab6a __except_handler4 5 API calls 6401 408ebc 6400->6401 6403->6400 6405 4087dc 6404->6405 6406 4087e6 #8 6404->6406 6405->6403 6408 408872 6406->6408 6409 408875 #146 #9 6406->6409 6408->6409 6409->6405 7388 40819d 7389 404bc1 3 API calls 7388->7389 7390 4081a8 7389->7390 7391 4081e5 7390->7391 7392 401e3a 15 API calls 7390->7392 7393 4081ca SetWindowLongW 7392->7393 7393->7391 6878 40361e 6879 403628 6878->6879 6880 40363b 6879->6880 6881 40a212 ctype 2 API calls 6879->6881 6881->6880 5594 4011a0 SetTimer 7106 4058a0 7107 404f03 16 API calls 7106->7107 7108 4058b2 7107->7108 7252 404926 InterlockedIncrement 6882 405027 6883 40503c 6882->6883 6893 405059 6882->6893 6892 40504a 6883->6892 6894 402cab 6883->6894 6888 405396 6889 403872 2 API calls 6888->6889 6890 4053ab 6889->6890 6892->6888 6892->6893 6914 403d92 6892->6914 6925 402b95 6892->6925 6928 404261 6892->6928 6932 4037cb 6892->6932 6895 402cca BeginPaint 6894->6895 6896 402d2b 6894->6896 6897 402e0e 6895->6897 6898 402ce2 GetClientRect CreateSolidBrush 6895->6898 6896->6897 6899 402d38 BeginPaint 6896->6899 6904 40ab6a __except_handler4 5 API calls 6897->6904 6900 402d01 FillRect 6898->6900 6901 402d16 EndPaint 6898->6901 6899->6897 6902 402d52 GetClientRect CreateCompatibleBitmap 6899->6902 6903 402d10 DeleteObject 6900->6903 6901->6897 6902->6901 6905 402d7b CreateCompatibleDC 6902->6905 6903->6901 6906 402e1f 6904->6906 6907 402e06 6905->6907 6908 402d88 SelectObject 6905->6908 6906->6892 6907->6903 6909 402d99 CreateSolidBrush 6908->6909 6910 402dff DeleteDC 6908->6910 6911 402df5 SelectObject 6909->6911 6912 402dac FillRect DeleteObject 6909->6912 6910->6907 6911->6910 6913 402ddc BitBlt 6912->6913 6913->6911 6915 403da5 6914->6915 6922 403e00 6914->6922 6916 403db1 6915->6916 6917 403de5 6915->6917 6924 403dac 6915->6924 6919 403e9b SendMessageW 6916->6919 6921 403e5b 6916->6921 6917->6916 6918 403dea IsWindow 6917->6918 6918->6916 6918->6921 6919->6921 6920 403e46 GetDlgItem 6920->6916 6921->6892 6922->6916 6922->6921 6939 403200 6922->6939 6924->6916 6924->6920 6924->6921 6926 40253c 7 API calls 6925->6926 6927 402be2 6926->6927 6927->6892 6929 4042cc 6928->6929 6931 40427a 6928->6931 6930 4037cb 4 API calls 6929->6930 6930->6931 6931->6892 6933 403865 6932->6933 6938 4037e6 6932->6938 6933->6892 6934 40383a 6936 40385f SetFocus 6934->6936 6935 40383f GetFocus IsChild 6935->6933 6937 403853 GetWindow 6935->6937 6936->6933 6937->6936 6938->6934 6938->6935 6940 403217 6939->6940 6941 403209 6939->6941 6940->6924 6943 4025ce CallWindowProcW 6941->6943 6943->6940 6946 406c29 InterlockedDecrement 7109 40a4aa 7112 40a345 7109->7112 7113 40a355 7112->7113 7114 40a34e 7112->7114 7113->7114 7115 40a388 7113->7115 7120 40a304 7113->7120 7116 40a2e7 HeapFree 7115->7116 7117 40a391 DeleteCriticalSection 7116->7117 7117->7114 7121 40a319 RaiseException 7120->7121 7122 40a30c 7120->7122 7122->7121 7123 40a311 UnregisterClassA 7122->7123 7123->7113 7123->7115 6410 4060af 6411 4060bb 6410->6411 6412 4060c2 6410->6412 6412->6411 6414 405f8f 6412->6414 6415 405fa0 6414->6415 6420 405f6f 6415->6420 6432 405a4a 6420->6432 6423 404d11 6424 401e3a 15 API calls 6423->6424 6425 404d23 6424->6425 6426 404d33 6425->6426 6427 404d27 SetLastError 6425->6427 6428 404d2f 6426->6428 6429 404b61 4 API calls 6426->6429 6427->6428 6428->6411 6431 404d49 CreateWindowExW 6429->6431 6431->6428 6433 405ada 6432->6433 6434 405a5c 6432->6434 6433->6423 6434->6433 6435 405a79 EnterCriticalSection 6434->6435 6436 405a94 6435->6436 6450 405b6f 6435->6450 6437 405b03 LoadCursorW 6436->6437 6438 405a9b GetClassInfoExW 6436->6438 6441 405ae2 6437->6441 6440 405ac0 GetClassInfoExW 6438->6440 6438->6441 6439 40145c LeaveCriticalSection 6439->6433 6440->6441 6442 405ad2 6440->6442 6445 405b41 GetClassInfoExW 6441->6445 6451 404af7 6441->6451 6444 40145c LeaveCriticalSection 6442->6444 6444->6433 6446 405b66 6445->6446 6445->6450 6455 404c88 6446->6455 6450->6439 6452 404b05 6451->6452 6460 404ac6 6452->6460 6454 404b2c 6454->6445 6456 404c93 6455->6456 6457 404cb5 6455->6457 6456->6457 6458 404c99 RegisterClassExW 6456->6458 6457->6450 6459 4017b2 4 API calls 6458->6459 6459->6457 6463 40aea4 6460->6463 6462 404add 6462->6454 6466 40ada6 6463->6466 6467 40adb2 @x64tow_s@24 __aulldvrm 6466->6467 6469 40adc6 6467->6469 6470 40d2e7 6467->6470 6469->6462 6473 40a72d GetModuleHandleA 6470->6473 6472 40d2f5 __invoke_watson 6474 40a74c 6473->6474 6475 40a73c GetProcAddress 6473->6475 6474->6472 6475->6474 7253 403f30 7256 4025b9 7253->7256 7257 4025c2 DeleteCriticalSection 7256->7257 7258 4025cd 7256->7258 7257->7258 7126 403ab1 7127 403ac7 7126->7127 7128 403af8 7126->7128 7132 40295e StringFromGUID2 #2 7127->7132 7133 4029a4 7132->7133 7134 40299a 7132->7134 7136 40ab6a __except_handler4 5 API calls 7133->7136 7135 401029 RaiseException 7134->7135 7135->7133 7137 4029b1 #6 7136->7137 7137->7128 6947 402432 InvalidateRect 7260 403134 7263 4025ce CallWindowProcW 7260->7263 7262 40314b 7263->7262 7264 409334 7265 409351 7264->7265 7266 404f03 16 API calls 7265->7266 7267 4093a3 7266->7267 7269 4093a9 7267->7269 7270 408a0c 7267->7270 7271 408a26 7270->7271 7272 408a1c 7270->7272 7271->7272 7274 40895a 7271->7274 7272->7269 7275 408965 7274->7275 7277 40896f 7274->7277 7276 401029 RaiseException 7275->7276 7276->7277 7278 40895a RaiseException 7277->7278 7279 4089c4 7277->7279 7278->7279 7279->7271 7138 4058b5 7141 404f41 7138->7141 7140 4058d1 7142 404f51 7141->7142 7143 404f5e 7142->7143 7144 404074 16 API calls 7142->7144 7145 404f6f lstrlenW 7143->7145 7146 404f83 _memcmp 7143->7146 7144->7143 7145->7146 7146->7140 7280 404937 InterlockedDecrement 7281 40494d 7280->7281 6109 406238 6110 406251 6109->6110 6111 4062c2 OleInitialize GetWindowTextLengthW 6109->6111 6113 4062a2 GetWindowLongW 6110->6113 6114 406258 6110->6114 6112 4062f4 6111->6112 6122 4062e1 __alloca_probe_16 6111->6122 6154 40a609 HeapAlloc 6112->6154 6115 4062b1 6113->6115 6116 4062b7 OleUninitialize 6113->6116 6118 40645a DefWindowProcW 6114->6118 6120 40626e GetWindowLongW 6114->6120 6115->6116 6116->6118 6121 406315 6118->6121 6119 4062fa 6119->6122 6120->6118 6123 406288 GetWindowLongW SetWindowLongW 6120->6123 6124 40ab6a __except_handler4 5 API calls 6121->6124 6126 40631e GetWindowTextW SetWindowTextW 6122->6126 6139 40630f 6122->6139 6123->6118 6125 40647c 6124->6125 6127 406346 6126->6127 6128 40634f GlobalAlloc 6126->6128 6127->6128 6130 406361 6128->6130 6131 406393 6128->6131 6130->6131 6132 406365 GlobalLock 6130->6132 6133 401235 11 API calls 6131->6133 6134 401082 __VEC_memcpy 6132->6134 6135 4063a2 6133->6135 6136 40637c GlobalUnlock CreateStreamOnHGlobal 6134->6136 6137 4063a8 #6 6135->6137 6151 406214 6135->6151 6136->6131 6137->6139 6155 40100e 6139->6155 6142 4063ec 6143 401125 HeapFree 6142->6143 6143->6137 6144 406421 SetWindowLongW 6145 406435 6144->6145 6146 401125 HeapFree 6145->6146 6147 40643d #6 6146->6147 6148 40644b 6147->6148 6149 40100e __freea HeapFree 6148->6149 6150 406459 6149->6150 6150->6118 6152 406144 18 API calls 6151->6152 6153 406234 6152->6153 6153->6142 6153->6144 6154->6119 6156 401016 6155->6156 6157 401027 6155->6157 6156->6157 6158 40a66d __freea HeapFree 6156->6158 6157->6121 6158->6157 6948 406c38 6949 406c48 6948->6949 6951 406c41 6948->6951 6950 406c53 CoCreateInstance 6949->6950 6949->6951 6950->6951 7282 40d738 7287 4068a5 7282->7287 7285 40a966 7 API calls 7286 40d75f 7285->7286 7288 4068b3 7287->7288 7289 401ce1 InitializeCriticalSection 7288->7289 7290 4068ce 7289->7290 7290->7285 7394 402fba 7397 4029b5 7394->7397 7398 4029c3 #6 7397->7398 7399 4029e5 7397->7399 7398->7399 7400 4029ce #2 7398->7400 7400->7399 7401 4029db 7400->7401 7402 401029 RaiseException 7401->7402 7402->7399 6952 40983c 6953 40986d 6952->6953 6954 401ce1 InitializeCriticalSection 6953->6954 6955 409875 6954->6955 6957 4098be 6955->6957 6960 4078c4 9 API calls 6955->6960 6970 409883 6955->6970 6956 40751f ctype 6 API calls 6958 40988d 6956->6958 6962 4098d3 GetModuleFileNameW 6957->6962 6957->6970 6959 40ab6a __except_handler4 5 API calls 6958->6959 6961 40989e 6959->6961 6960->6955 6963 4098f5 6962->6963 6964 409909 6962->6964 6965 401d2c GetLastError 6963->6965 6966 40990d 6964->6966 6967 40991f 6964->6967 6968 4098fa 6965->6968 6969 401125 HeapFree 6966->6969 6971 40993b GetModuleHandleW 6967->6971 6972 40994c 6967->6972 6973 401125 HeapFree 6968->6973 6969->6970 6970->6956 6971->6972 6974 409947 6971->6974 6975 401ca1 2 API calls 6972->6975 6973->6970 6979 4078c4 9 API calls 6974->6979 6976 40996a 6975->6976 6977 409971 6976->6977 6978 409983 lstrlenW 6976->6978 6980 401125 HeapFree 6977->6980 6978->6974 6981 4099ba 6979->6981 6980->6970 6981->6968 6982 4078c4 9 API calls 6981->6982 6983 4099d6 6982->6983 6983->6968 6984 4099e0 6983->6984 6985 409a04 6984->6985 6989 40955c 6984->6989 6995 4095de 6985->6995 6988 409a0e 6988->6988 6990 409567 6989->6990 6991 40940c 66 API calls 6990->6991 6992 409580 6991->6992 6993 401125 HeapFree 6992->6993 6994 40958a 6993->6994 6994->6985 6996 4095e9 6995->6996 6997 40940c 66 API calls 6996->6997 6998 409602 6997->6998 6999 401125 HeapFree 6998->6999 7000 40960c 6999->7000 7000->6988 7403 4011bf DestroyWindow PostQuitMessage 7404 40a3bf DeleteCriticalSection

                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                          Function 00409D65 Relevance: 25.8, APIs: 17, Instructions: 273memoryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 151 409d65-409d99 FindResourceW 152 409db2-409dbf FindResourceW 151->152 153 409d9b-409da6 LoadResource 151->153 155 40a060-40a067 152->155 156 409dc5-409dd0 LoadResource 152->156 153->152 154 409da8-409daf LockResource 153->154 154->152 157 409dd6-409de1 LockResource 156->157 158 40a058-40a05d call 401d2c 156->158 157->158 160 409de7-409e23 call 406577 call 40658b GetWindow 157->160 158->155 160->155 166 409e29-409e2d 160->166 167 409e34 166->167 168 409e2f-409e32 166->168 169 409e38-409e45 call 40843c 167->169 168->169 172 409e4b-409e67 call 4083fe 169->172 173 409ffd-40a002 169->173 179 409ea5-409ebc call 401235 172->179 180 409e69-409e76 GlobalAlloc 172->180 175 40a012-40a02a call 40660b 173->175 176 40a004-40a00f GetWindow 173->176 175->166 185 40a030 175->185 176->175 190 409ec2-409ed3 call 40194e 179->190 191 409fe5-409ff3 #6 179->191 182 40a032-40a03e 180->182 183 409e7c-409e9f GlobalLock call 401082 GlobalUnlock CreateStreamOnHGlobal 180->183 188 40a04e 182->188 183->179 185->155 188->155 192 40a050-40a056 188->192 198 409ed5 190->198 199 409ed8-409edd 190->199 191->175 193 409ff5-409ffb 191->193 192->155 193->175 198->199 200 409ee5 199->200 201 409edf-409ee3 199->201 202 409ee9-409ef1 200->202 201->202 203 409ef3-409ef7 202->203 204 409ef9 202->204 205 409efd-409f05 203->205 204->205 206 409f07-409f0b 205->206 207 409f0d 205->207 208 409f11-409f1b 206->208 207->208 209 409f23 208->209 210 409f1d-409f21 208->210 211 409f27-409f41 MapDialogRect 209->211 210->211 212 409f43-409f46 211->212 213 409f48 211->213 214 409f4c-409f4e 212->214 213->214 215 409f50-409f53 214->215 216 409f55 214->216 217 409f57-409f5b 215->217 216->217 218 409f62 217->218 219 409f5d-409f60 217->219 220 409f64-409f83 call 40868e 218->220 219->220 222 409f88-409f8d 220->222 223 409fdd-409fe2 call 401d2c 222->223 224 409f8f-409f92 222->224 223->191 226 409fa2-409fb9 call 409d44 224->226 227 409f94-409f98 224->227 232 40a040-40a04c #6 226->232 233 409fbf-409fc3 226->233 227->226 229 409f9a-409f9c SetWindowContextHelpId 227->229 229->226 232->188 234 409fc5 233->234 235 409fc8-409fdb SetWindowPos 233->235 234->235 235->191
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • FindResourceW.KERNEL32(?,000000F0), ref: 00409D87
                                                                                                                                                                                                                                          • LoadResource.KERNEL32(00000000), ref: 00409DA2
                                                                                                                                                                                                                                          • GetWindow.USER32(?,00000002), ref: 0040A009
                                                                                                                                                                                                                                          • LockResource.KERNEL32(00000000), ref: 00409DA9
                                                                                                                                                                                                                                            • Part of subcall function 00401D2C: GetLastError.KERNEL32(0040948F), ref: 00401D2C
                                                                                                                                                                                                                                          • FindResourceW.KERNEL32(?,00000005), ref: 00409DBB
                                                                                                                                                                                                                                          • LoadResource.KERNEL32(00000000), ref: 00409DCC
                                                                                                                                                                                                                                          • LockResource.KERNEL32(00000000), ref: 00409DD7
                                                                                                                                                                                                                                          • GetWindow.USER32(?,00000005), ref: 00409E13
                                                                                                                                                                                                                                          • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00409E6C
                                                                                                                                                                                                                                          • GlobalLock.KERNEL32(00000000), ref: 00409E7D
                                                                                                                                                                                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 00409E92
                                                                                                                                                                                                                                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,00000000), ref: 00409E9F
                                                                                                                                                                                                                                          • MapDialogRect.USER32(00000000,?), ref: 00409F39
                                                                                                                                                                                                                                          • SetWindowContextHelpId.USER32(00000000,00000000), ref: 00409F9C
                                                                                                                                                                                                                                          • SetWindowPos.USER32(00000000,?,00000000,00000000,00000000,00000000,00000013,?,00000000,00000000,00000000), ref: 00409FD2
                                                                                                                                                                                                                                          • #6.OLEAUT32(00000000), ref: 00409FE8
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000002.2713696305.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713655394.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713743498.000000000040E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713794372.0000000000410000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713880336.0000000000411000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Resource$GlobalWindow$Lock$FindLoad$AllocContextCreateDialogErrorHelpLastRectStreamUnlock
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3889352284-0
                                                                                                                                                                                                                                          • Opcode ID: 9a63fbb2dd714ba350ba2e888deb5622258a00963ab25326d0d189ca7ae26512
                                                                                                                                                                                                                                          • Instruction ID: b32264a182df8b8185a25ae9e4a093f941d12f3cf307d36edcfa630756bfb5d0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9a63fbb2dd714ba350ba2e888deb5622258a00963ab25326d0d189ca7ae26512
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CDA1AC71900209EBDB209FA1DD44ABFBBB9EF44701F14842AF845F62E1E7399D40DB69
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0040A2BF Relevance: 5.1, APIs: 4, Instructions: 59memoryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 499 40a2bf 501 40a232-40a23a 499->501 502 40a229-40a230 call 40a15d 499->502 504 40a253-40a25c 501->504 505 40a23c-40a24f GetProcessHeap HeapAlloc 501->505 502->501 508 40a275-40a278 502->508 510 40a2bd-40a2be 504->510 511 40a25e-40a273 VirtualAlloc 504->511 507 40a251-40a252 505->507 505->508 511->508 512 40a279-40a28c 511->512 514 40a2a0 512->514 515 40a28e-40a29e VirtualFree 512->515 517 40a2a6-40a2b8 514->517 516 40a2bc 515->516 516->510 519 40a2ba 517->519 519->516
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,0000000D,00000014,00401E47,00000000,004081CA,00000000,00000000,?,?,004102E0), ref: 0040A240
                                                                                                                                                                                                                                          • HeapAlloc.KERNEL32(00000000,?,?,004102E0), ref: 0040A247
                                                                                                                                                                                                                                            • Part of subcall function 0040A15D: IsProcessorFeaturePresent.KERNEL32(0000000C,?,0040A22E,00000014,00401E47,00000000,004081CA,00000000,00000000,?,?,004102E0), ref: 0040A160
                                                                                                                                                                                                                                          • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,?,004102E0), ref: 0040A269
                                                                                                                                                                                                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,004102E0), ref: 0040A296
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000002.2713696305.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713655394.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713743498.000000000040E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713794372.0000000000410000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713880336.0000000000411000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AllocHeapVirtual$FeatureFreePresentProcessProcessor
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 4058086966-0
                                                                                                                                                                                                                                          • Opcode ID: 4eef6948829efe3343bb29585dc7892d8ee7b201fb463e6bf931d3ddf1ee949c
                                                                                                                                                                                                                                          • Instruction ID: 07394e22955033af2d43ad660e51909c4cc8c1264f72119093e848aa411fdedd
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4eef6948829efe3343bb29585dc7892d8ee7b201fb463e6bf931d3ddf1ee949c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2C11C831240320EBDB611B64BC0CF9A3759AB44741F1444BAFA49F63E0DBF98CA1865E
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00406238 Relevance: 30.2, APIs: 20, Instructions: 208comCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetWindowLongW.USER32(?,000000EC), ref: 00406279
                                                                                                                                                                                                                                          • GetWindowLongW.USER32(?,000000EC), ref: 0040628D
                                                                                                                                                                                                                                          • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00406297
                                                                                                                                                                                                                                          • GetWindowLongW.USER32(?,000000EB), ref: 004062A7
                                                                                                                                                                                                                                          • OleUninitialize.OLE32 ref: 004062B7
                                                                                                                                                                                                                                          • OleInitialize.OLE32(00000000), ref: 004062C5
                                                                                                                                                                                                                                          • GetWindowTextLengthW.USER32(?), ref: 004062CE
                                                                                                                                                                                                                                          • __alloca_probe_16.LIBCMT ref: 004062E1
                                                                                                                                                                                                                                          • __freea.LIBCMT ref: 00406310
                                                                                                                                                                                                                                          • DefWindowProcW.USER32(?,?,?,?), ref: 00406466
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000002.2713696305.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713655394.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713743498.000000000040E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713794372.0000000000410000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713880336.0000000000411000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Window$Long$InitializeLengthProcTextUninitialize__alloca_probe_16__freea
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 28949450-0
                                                                                                                                                                                                                                          • Opcode ID: 8aa04fe590e36e3a70198cffcadc8070c0d19e8d623510fa997590622132b48b
                                                                                                                                                                                                                                          • Instruction ID: 9722be613339ca3db09fd7b727bd1f44c9c3ac900b7060599eb43628a4f9981e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8aa04fe590e36e3a70198cffcadc8070c0d19e8d623510fa997590622132b48b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F771AE31900109AFDF00AFA5CD88DAE7BB9EF04314B11497EF906F62A1CB389D61CB59
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 004054A5 Relevance: 30.1, APIs: 16, Strings: 1, Instructions: 302COMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 64 4054a5-4054b1 65 4054b3-4054b8 64->65 66 4054bd-4054e5 call 403691 64->66 67 40578c-40578e 65->67 70 405504-40550f IsWindow 66->70 71 4054e7-4054ea 66->71 73 405515-40551a 70->73 74 405787-40578b 70->74 71->70 72 4054ec-4054ff RedrawWindow call 40319c 71->72 72->70 76 405529-405530 73->76 77 40551c-405525 call 40317c 73->77 74->67 79 405532-40553b call 401f0e 76->79 80 40554f-40556c call 40348a 76->80 77->76 88 405541 79->88 89 40553d-40553f 79->89 86 405580-405591 80->86 87 40556e-405578 call 4044a7 80->87 91 405755-405764 call 403691 86->91 92 405597-40559b 86->92 94 40557d 87->94 93 405543-405549 GetSysColor 88->93 89->93 91->74 103 405766-405777 RedrawWindow 91->103 96 4055b3-4055b7 92->96 97 40559d-4055a0 92->97 93->80 94->86 100 405748-40574b 96->100 101 4055bd-4055bf 96->101 97->96 99 4055a2-4055ae call 40333c 97->99 99->96 100->91 102 40574d-405753 100->102 101->100 105 4055c5-4055d9 GetWindowLongW 101->105 102->74 102->91 103->74 106 405779-40577d 103->106 107 4055e7-40560c GetWindowLongW SetWindowLongW SetWindowPos 105->107 108 4055db-4055e5 105->108 106->74 110 40577f-405782 call 40319c 106->110 109 405612-405626 call 402645 107->109 108->109 114 405632-40563a 109->114 115 405628-40562c 109->115 110->74 117 405646-40564e 114->117 118 40563c-405640 114->118 115->114 116 40579a-4057b1 115->116 124 4057b3-405806 #8 call 4029ef #9 * 2 116->124 125 40573b-405740 116->125 119 405650-405654 117->119 120 40565a-405662 117->120 118->116 118->117 119->116 119->120 122 405664-405668 120->122 123 40566e-405676 120->123 122->116 122->123 126 405682-40568a 123->126 127 405678-40567c 123->127 124->125 143 40580c-405812 124->143 125->100 128 405742-405744 125->128 130 405696-40569b 126->130 131 40568c-405690 126->131 127->116 127->126 128->100 130->116 133 4056a1-4056b9 lstrlenW GlobalAlloc 130->133 131->116 131->130 134 405791-405798 133->134 135 4056bf-4056f2 GlobalLock call 401082 GlobalUnlock CreateStreamOnHGlobal 133->135 138 405739 134->138 140 4056f4-40570e 135->140 141 40572c-405731 135->141 138->125 146 405710-40571c 140->146 147 40571f-405724 140->147 141->138 144 405733-405735 141->144 143->125 144->138 146->147 147->141 149 405726-405728 147->149 149->141
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • RedrawWindow.USER32(?,00000000,00000000,00000507), ref: 004054F6
                                                                                                                                                                                                                                          • IsWindow.USER32(?), ref: 00405507
                                                                                                                                                                                                                                          • GetSysColor.USER32(00000005), ref: 00405543
                                                                                                                                                                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 004055D2
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000002.2713696305.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713655394.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713743498.000000000040E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713794372.0000000000410000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713880336.0000000000411000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Window$ColorLongRedraw
                                                                                                                                                                                                                                          • String ID: t@
                                                                                                                                                                                                                                          • API String ID: 4056730343-2916730932
                                                                                                                                                                                                                                          • Opcode ID: 2472e1211d9bdd42d287035a8e9e656ac211c83ecab8aeb96341efffc71a24dc
                                                                                                                                                                                                                                          • Instruction ID: a44568e81ff579c681077a249f66688bf6b6d7c62f676c4b8034998814c2c4d3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2472e1211d9bdd42d287035a8e9e656ac211c83ecab8aeb96341efffc71a24dc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8AB16674900609EBDB109F69CC44BAF77B9EF44314F54886AF845AB2D0CB39AE51DF28
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 004081EB Relevance: 18.1, APIs: 12, Instructions: 79COMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 0040194E: EnterCriticalSection.KERNEL32(004102E4,7693A7D0,0041025C,?,?,?,?,?,?,?,00409B2E,00000000,?,00000000,?,0040AACE), ref: 00401960
                                                                                                                                                                                                                                            • Part of subcall function 0040194E: RegisterWindowMessageW.USER32(WM_ATLGETHOST,?,?,?,?,?,?,?,00409B2E,00000000,?,00000000,?,0040AACE,00000000), ref: 00401975
                                                                                                                                                                                                                                            • Part of subcall function 0040194E: RegisterWindowMessageW.USER32(WM_ATLGETCONTROL,?,?,?,?,?,?,?,00409B2E,00000000,?,00000000,?,0040AACE,00000000), ref: 00401981
                                                                                                                                                                                                                                            • Part of subcall function 0040194E: GetClassInfoExW.USER32(AtlAxWin80,?,?,?,?,?,?,?,?,00409B2E,00000000,?,00000000,?,0040AACE,00000000), ref: 0040199E
                                                                                                                                                                                                                                            • Part of subcall function 0040194E: LoadCursorW.USER32(00000000,00007F00), ref: 004019D2
                                                                                                                                                                                                                                            • Part of subcall function 0040194E: RegisterClassExW.USER32(?), ref: 004019EF
                                                                                                                                                                                                                                            • Part of subcall function 0040194E: _memset.LIBCMT ref: 00401A18
                                                                                                                                                                                                                                            • Part of subcall function 0040194E: GetClassInfoExW.USER32(AtlAxWinLic80,?,?,?,?,?,?,?,?,?,?,00409B2E,00000000,?,00000000), ref: 00401A33
                                                                                                                                                                                                                                            • Part of subcall function 0040194E: LoadCursorW.USER32(00000000,00007F00), ref: 00401A68
                                                                                                                                                                                                                                            • Part of subcall function 0040194E: RegisterClassExW.USER32(?), ref: 00401A85
                                                                                                                                                                                                                                          • FindResourceW.KERNEL32(?,?,00000005,0041025C,00000000,?,7693A7D0,0041025C), ref: 0040820D
                                                                                                                                                                                                                                          • FindResourceW.KERNEL32(?,?,000000F0,?), ref: 00408226
                                                                                                                                                                                                                                          • LoadResource.KERNEL32(?,00000000), ref: 0040823A
                                                                                                                                                                                                                                          • LockResource.KERNEL32(00000000), ref: 0040823D
                                                                                                                                                                                                                                          • LoadResource.KERNEL32(?), ref: 0040824B
                                                                                                                                                                                                                                          • LockResource.KERNEL32(00000000), ref: 00408252
                                                                                                                                                                                                                                          • CreateDialogIndirectParamW.USER32(?,00000000,?,?,?), ref: 00408273
                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00408281
                                                                                                                                                                                                                                          • GlobalHandle.KERNEL32(00000000), ref: 00408290
                                                                                                                                                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 00408297
                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0040829F
                                                                                                                                                                                                                                          • SetLastError.KERNEL32(?), ref: 004082B5
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000002.2713696305.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713655394.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713743498.000000000040E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713794372.0000000000410000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713880336.0000000000411000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Resource$ClassLoadRegister$ErrorLast$CursorFindGlobalInfoLockMessageWindow$CreateCriticalDialogEnterFreeHandleIndirectParamSection_memset
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2992142088-0
                                                                                                                                                                                                                                          • Opcode ID: b34073fe35a2a4e5d7bae0d1118e0bbe55324e039accc3641cb14715aa09f1ff
                                                                                                                                                                                                                                          • Instruction ID: 558fcba7b94dea7674d76278d1cd815747eb906cd404d6e5577c9207027ed8de
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b34073fe35a2a4e5d7bae0d1118e0bbe55324e039accc3641cb14715aa09f1ff
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BB21A171104715AFD711AF629E48A2FBBE8FF85710F050C3DF980B2250DB7998159AAA
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00409AE0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 54windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • CoInitialize.OLE32(00000000,7693A7D0,00000000,?,0040AACE,00000000), ref: 00409B00
                                                                                                                                                                                                                                          • DefWindowProcW.USER32(00000000,00000000,00000000,00000000,?,0040AACE,00000000), ref: 00409B0A
                                                                                                                                                                                                                                            • Part of subcall function 00406533: InitCommonControlsEx.COMCTL32(?,?,?,?,00409B17,00000004,?,0040AACE,00000000), ref: 00406549
                                                                                                                                                                                                                                            • Part of subcall function 004069F4: GetCurrentThreadId.KERNEL32(00000000,00000000,00000000,7693A7D0,0041025C,?,00409B29,00000000,?,00000000,?,0040AACE,00000000), ref: 00406A12
                                                                                                                                                                                                                                            • Part of subcall function 0040194E: EnterCriticalSection.KERNEL32(004102E4,7693A7D0,0041025C,?,?,?,?,?,?,?,00409B2E,00000000,?,00000000,?,0040AACE), ref: 00401960
                                                                                                                                                                                                                                            • Part of subcall function 0040194E: RegisterWindowMessageW.USER32(WM_ATLGETHOST,?,?,?,?,?,?,?,00409B2E,00000000,?,00000000,?,0040AACE,00000000), ref: 00401975
                                                                                                                                                                                                                                            • Part of subcall function 0040194E: RegisterWindowMessageW.USER32(WM_ATLGETCONTROL,?,?,?,?,?,?,?,00409B2E,00000000,?,00000000,?,0040AACE,00000000), ref: 00401981
                                                                                                                                                                                                                                            • Part of subcall function 0040194E: GetClassInfoExW.USER32(AtlAxWin80,?,?,?,?,?,?,?,?,00409B2E,00000000,?,00000000,?,0040AACE,00000000), ref: 0040199E
                                                                                                                                                                                                                                            • Part of subcall function 0040194E: LoadCursorW.USER32(00000000,00007F00), ref: 004019D2
                                                                                                                                                                                                                                            • Part of subcall function 0040194E: RegisterClassExW.USER32(?), ref: 004019EF
                                                                                                                                                                                                                                            • Part of subcall function 0040194E: _memset.LIBCMT ref: 00401A18
                                                                                                                                                                                                                                            • Part of subcall function 0040194E: GetClassInfoExW.USER32(AtlAxWinLic80,?,?,?,?,?,?,?,?,?,?,00409B2E,00000000,?,00000000), ref: 00401A33
                                                                                                                                                                                                                                            • Part of subcall function 0040194E: LoadCursorW.USER32(00000000,00007F00), ref: 00401A68
                                                                                                                                                                                                                                            • Part of subcall function 0040194E: RegisterClassExW.USER32(?), ref: 00401A85
                                                                                                                                                                                                                                          • CoUninitialize.OLE32(00000000,?,00000000,?,0040AACE,00000000), ref: 00409B44
                                                                                                                                                                                                                                          • MessageBoxExW.USER32(00000000,This program will visit the given URL and exit.It is usually used for statistical purpose.Usage: stats.exe <URL>,Tip,00000030,00000002,00000000,?,0040AACE,00000000), ref: 00409B5E
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • ://, xrefs: 00409AEB
                                                                                                                                                                                                                                          • This program will visit the given URL and exit.It is usually used for statistical purpose.Usage: stats.exe <URL>, xrefs: 00409B58
                                                                                                                                                                                                                                          • Tip, xrefs: 00409B53
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000002.2713696305.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713655394.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713743498.000000000040E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713794372.0000000000410000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713880336.0000000000411000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ClassRegister$MessageWindow$CursorInfoLoad$CommonControlsCriticalCurrentEnterInitInitializeProcSectionThreadUninitialize_memset
                                                                                                                                                                                                                                          • String ID: ://$This program will visit the given URL and exit.It is usually used for statistical purpose.Usage: stats.exe <URL>$Tip
                                                                                                                                                                                                                                          • API String ID: 1891423193-314159335
                                                                                                                                                                                                                                          • Opcode ID: d57fe23e49e834b2d20f9d2c187af9b3d0480d896070174b39bf21266c81a33b
                                                                                                                                                                                                                                          • Instruction ID: 5bc4b88b9a5656005c38049dd0c25c6740fd7e0a81772a24bde27d6abe2d5549
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d57fe23e49e834b2d20f9d2c187af9b3d0480d896070174b39bf21266c81a33b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E001D432205225BBDA113BA6BC0AF9F7A1DAF45B60F10083FF600B10D2CA78592096ED
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0040348A Relevance: 10.6, APIs: 7, Instructions: 141comCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 270 40348a-4034a8 271 4034b4-4034c3 270->271 272 4034aa-4034af 270->272 274 4034c9-4034cf 271->274 275 40360f 271->275 273 403611-40361d call 40ab6a 272->273 274->275 276 4034d5-4034d9 274->276 275->273 278 4034e1-4034e9 276->278 279 4034db-4034df 276->279 282 4034f1-4034f9 278->282 283 4034eb-4034ef 278->283 279->278 281 403551-403560 call 401dc4 279->281 292 403571-40357d lstrlenW 281->292 293 403562-40356f 281->293 285 403501-403509 282->285 286 4034fb-4034ff 282->286 283->281 283->282 288 403511-403519 285->288 289 40350b-40350f 285->289 286->281 286->285 290 403521-403529 288->290 291 40351b-40351f 288->291 289->281 289->288 294 403531-403536 290->294 295 40352b-40352f 290->295 291->281 291->290 297 403583-40358c 292->297 298 40360a-40360d 292->298 296 403543-40354c CoCreateInstance 293->296 294->281 299 403538-40353e 294->299 295->281 295->294 300 403607 296->300 301 403596 CLSIDFromProgID 297->301 302 40358e-403594 CLSIDFromString 297->302 298->273 299->296 300->298 303 40359c-4035a3 301->303 302->303 303->298 304 4035a5-4035b0 #7 303->304 305 4035b2-4035d0 CoGetClassObject 304->305 306 4035f6-403601 CoCreateInstance 304->306 307 4035d2-4035e4 305->307 308 4035e7-4035ec 305->308 306->300 307->308 308->298 309 4035ee-4035f4 308->309 309->298
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • CoCreateInstance.OLE32(0040E6A4,00000000,00000001,?), ref: 00403543
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000002.2713696305.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713655394.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713743498.000000000040E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713794372.0000000000410000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713880336.0000000000411000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CreateInstance
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 542301482-0
                                                                                                                                                                                                                                          • Opcode ID: 0b3207350ccdb61446f3d3a50d273f5d01df4129bbf8d6a9d7d62144eceb9347
                                                                                                                                                                                                                                          • Instruction ID: fa4264cd1955a41306a9d1c3a1fbf8da1e2f0e149bce503760d62e4bf295f703
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0b3207350ccdb61446f3d3a50d273f5d01df4129bbf8d6a9d7d62144eceb9347
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 28418074900216AADF209F59CC45BBB7EBCEB08302F90443BE945B62E0D77D9E82875D
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0040AA2E Relevance: 10.6, APIs: 7, Instructions: 64COMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 312 40aa2e-40aa40 GetCommandLineW 313 40aa42 312->313 314 40aa4a-40aa5c call 40a559 312->314 315 40aa44 ExitProcess 313->315 318 40aa79-40aa7d 314->318 319 40aa5e-40aa6a CharNextW 314->319 322 40aa97-40aa9d 318->322 323 40aa7f-40aa88 CharNextW 318->323 320 40aa92-40aa95 CharNextW 319->320 321 40aa6c-40aa6f 319->321 320->322 321->319 326 40aa71-40aa75 321->326 324 40aa8c-40aa90 322->324 325 40aa9f-40aab1 GetStartupInfoW 322->325 323->323 327 40aa8a 323->327 324->320 324->325 328 40aab3-40aab7 325->328 329 40aab9-40aabb 325->329 326->322 330 40aa77 326->330 327->322 331 40aabc-40aac9 GetModuleHandleA call 409ae0 328->331 329->331 330->320 333 40aace-40aad6 call 40a848 331->333 333->315
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetCommandLineW.KERNEL32 ref: 0040AA36
                                                                                                                                                                                                                                          • ExitProcess.KERNEL32 ref: 0040AA44
                                                                                                                                                                                                                                          • CharNextW.USER32(00000000), ref: 0040AA5F
                                                                                                                                                                                                                                          • CharNextW.USER32(00000000), ref: 0040AA80
                                                                                                                                                                                                                                          • CharNextW.USER32(00000000), ref: 0040AA93
                                                                                                                                                                                                                                          • GetStartupInfoW.KERNEL32(?), ref: 0040AAA7
                                                                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,0000000A), ref: 0040AAC2
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000002.2713696305.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713655394.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713743498.000000000040E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713794372.0000000000410000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713880336.0000000000411000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CharNext$CommandExitHandleInfoLineModuleProcessStartup
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 583095831-0
                                                                                                                                                                                                                                          • Opcode ID: 737934e675de4f21d5852706c508735ecd86d95bc8679f7fef37f85b9d084f5a
                                                                                                                                                                                                                                          • Instruction ID: c0e04138e1e23b9fdac12e1038fbc33ee6814bfcfad250fba7c6a6d4ce773015
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 737934e675de4f21d5852706c508735ecd86d95bc8679f7fef37f85b9d084f5a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 03116335500321A6D731BBA68E08B7F76A49F00751F550537F881B22D1E7BC4DA2CAAF
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00404074 Relevance: 6.2, APIs: 4, Instructions: 152COMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 336 404074-404098 337 4040a6-4040c7 EnterCriticalSection 336->337 338 40409a-40409d 336->338 340 4041f9 337->340 341 4040cd-4040e2 call 401c74 337->341 338->337 339 40409f-4040a1 338->339 344 40421f-404235 call 40ab6a 339->344 343 4041fc-404202 340->343 350 4040e4-4040ea 341->350 351 40413e-404159 #162 341->351 346 404214-40421c call 40145c 343->346 347 404204-404207 343->347 346->344 347->346 352 404209-404211 call 402a2e 347->352 350->351 354 4040ec-4040f2 350->354 356 40415c-40415f 351->356 352->346 354->351 358 4040f4-40410c GetModuleFileNameW 354->358 356->343 360 404165-40417c 356->360 358->343 361 404112-404114 358->361 364 4041e1-4041ef 360->364 365 40417e-40419f call 402645 360->365 361->343 362 40411a-404137 #161 call 401125 361->362 372 40413c 362->372 364->343 371 4041f1-4041f7 364->371 375 4041a1-4041a8 call 403f65 365->375 376 4041ad-4041cc call 404058 365->376 371->343 372->356 375->376 380 4041d4-4041d9 376->380 381 4041ce-4041d0 376->381 380->364 382 4041db-4041dd 380->382 381->380 382->364
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(0041024C,00000000), ref: 004040B3
                                                                                                                                                                                                                                          • GetModuleFileNameW.KERNEL32(?,00000104), ref: 00404104
                                                                                                                                                                                                                                          • #161.OLEAUT32(?,?), ref: 0040412B
                                                                                                                                                                                                                                          • #162.OLEAUT32(?,?,?,?,?), ref: 00404153
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000002.2713696305.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713655394.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713743498.000000000040E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713794372.0000000000410000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713880336.0000000000411000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: #161#162CriticalEnterFileModuleNameSection
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1725118692-0
                                                                                                                                                                                                                                          • Opcode ID: db21f10e629710586123d8f596d5cbfd9ffda8754c06c2071a621fa964ef6ed8
                                                                                                                                                                                                                                          • Instruction ID: 823f8b2c91bdd8410441d022d75542e2a5c1e8dc3aa34007b3531f1e035e3835
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: db21f10e629710586123d8f596d5cbfd9ffda8754c06c2071a621fa964ef6ed8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 88513EB19003089FDB20DFA5CC889AEB7B9BF95304B20443EE546EB291DB399985CF14
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00406972 Relevance: 6.1, APIs: 4, Instructions: 64windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 383 406972-40697e 384 406981-406985 383->384 385 4069ab-4069ad 384->385 386 406987-406994 PeekMessageW 385->386 387 4069af-4069bc GetMessageW 385->387 386->387 388 406996-4069a7 386->388 387->385 389 4069be-4069c0 387->389 388->385 393 4069a9 388->393 390 4069c2-4069cb 389->390 391 4069eb-4069f3 389->391 395 4069db-4069e4 call 406551 390->395 396 4069cd-4069d5 TranslateMessage DispatchMessageW 390->396 393->385 395->385 399 4069e6-4069e9 395->399 396->395 399->384
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000,0041025C,00000000,?,?,?,00409ABE), ref: 0040698C
                                                                                                                                                                                                                                          • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 004069B3
                                                                                                                                                                                                                                          • TranslateMessage.USER32(?), ref: 004069CE
                                                                                                                                                                                                                                          • DispatchMessageW.USER32(?), ref: 004069D5
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000002.2713696305.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713655394.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713743498.000000000040E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713794372.0000000000410000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713880336.0000000000411000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Message$DispatchPeekTranslate
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 4217535847-0
                                                                                                                                                                                                                                          • Opcode ID: 7eb9c73f79bfd4e62718ef7173afa342773132f2190057e34eb45e82fdde83c8
                                                                                                                                                                                                                                          • Instruction ID: 8551429d61bd0d2422191465250ca64f7c2bbda6e96765fba344c858e9ac1b5b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7eb9c73f79bfd4e62718ef7173afa342773132f2190057e34eb45e82fdde83c8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2D01C8F12055196FD7105F528C8897B779CEF41359712053BF513E2580DB38CC2256EA
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00405C5B Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 400 405c5b-405c90 GetDlgItem call 40194e call 401483 405 405c92-405cb6 #8 call 401207 400->405 406 405cda-405cdb 400->406 409 405cba-405cd2 #6 #9 405->409 409->406 410 405cd4-405cd6 409->410 410->406
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003E8,00000000,00000000,?,7693A7D0,0041025C), ref: 00405C69
                                                                                                                                                                                                                                            • Part of subcall function 0040194E: EnterCriticalSection.KERNEL32(004102E4,7693A7D0,0041025C,?,?,?,?,?,?,?,00409B2E,00000000,?,00000000,?,0040AACE), ref: 00401960
                                                                                                                                                                                                                                            • Part of subcall function 0040194E: RegisterWindowMessageW.USER32(WM_ATLGETHOST,?,?,?,?,?,?,?,00409B2E,00000000,?,00000000,?,0040AACE,00000000), ref: 00401975
                                                                                                                                                                                                                                            • Part of subcall function 0040194E: RegisterWindowMessageW.USER32(WM_ATLGETCONTROL,?,?,?,?,?,?,?,00409B2E,00000000,?,00000000,?,0040AACE,00000000), ref: 00401981
                                                                                                                                                                                                                                            • Part of subcall function 0040194E: GetClassInfoExW.USER32(AtlAxWin80,?,?,?,?,?,?,?,?,00409B2E,00000000,?,00000000,?,0040AACE,00000000), ref: 0040199E
                                                                                                                                                                                                                                            • Part of subcall function 0040194E: LoadCursorW.USER32(00000000,00007F00), ref: 004019D2
                                                                                                                                                                                                                                            • Part of subcall function 0040194E: RegisterClassExW.USER32(?), ref: 004019EF
                                                                                                                                                                                                                                            • Part of subcall function 0040194E: _memset.LIBCMT ref: 00401A18
                                                                                                                                                                                                                                            • Part of subcall function 0040194E: GetClassInfoExW.USER32(AtlAxWinLic80,?,?,?,?,?,?,?,?,?,?,00409B2E,00000000,?,00000000), ref: 00401A33
                                                                                                                                                                                                                                            • Part of subcall function 0040194E: LoadCursorW.USER32(00000000,00007F00), ref: 00401A68
                                                                                                                                                                                                                                            • Part of subcall function 0040194E: RegisterClassExW.USER32(?), ref: 00401A85
                                                                                                                                                                                                                                          • #8.OLEAUT32(?,0040E338,00000000), ref: 00405C96
                                                                                                                                                                                                                                          • #6.OLEAUT32(?), ref: 00405CBD
                                                                                                                                                                                                                                          • #9.OLEAUT32(?), ref: 00405CC7
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000002.2713696305.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713655394.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713743498.000000000040E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713794372.0000000000410000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713880336.0000000000411000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ClassRegister$CursorInfoLoadMessageWindow$CriticalEnterItemSection_memset
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1341504021-0
                                                                                                                                                                                                                                          • Opcode ID: e7acc18397d59e599054c78656186672f9ce1e491407c15093e1300ae225156b
                                                                                                                                                                                                                                          • Instruction ID: fdcf524c0c651178066a945282049319c38ea5a882d9b15e1e7355379dc4a2b0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e7acc18397d59e599054c78656186672f9ce1e491407c15093e1300ae225156b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A30157B0900209FFDF00EFA0CD49DAEBB78FF44709F108469F905AA1A1CB349A56DB64
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 004044A7 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 314COMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 411 4044a7-4044b6 412 4044b8-4044ba 411->412 413 4044bf-4044e2 call 404c28 411->413 414 4047ee-4047f1 412->414 418 4047b2-4047c9 413->418 419 4044e8-4044fd 413->419 424 4047ea-4047ed 418->424 425 4047cb-4047e0 418->425 422 404527-40452b 419->422 423 4044ff-404516 call 403237 419->423 426 404531-404540 call 403256 422->426 427 4045de-4045e4 422->427 449 40451a-40451f 423->449 424->414 447 4047e2 425->447 439 404542-404548 426->439 440 40455c-404560 426->440 431 4045e6-404606 call 403237 427->431 432 40460e-40462a 427->432 431->432 466 404608-40460a 431->466 445 40464c-404656 432->445 446 40462c-40463e 432->446 441 404553 439->441 442 40454a-40454d 439->442 440->427 444 404562-404571 call 403275 440->444 454 404557-40455a 441->454 453 404551 442->453 461 4045d1-4045d6 444->461 462 404573-404584 444->462 452 404676-40469c call 403ef1 445->452 463 404640-40464a 446->463 464 404658-40466a 446->464 447->424 451 4047e4-4047e6 447->451 449->422 455 404521-404523 449->455 451->424 481 4046ab-4046c3 452->481 482 40469e-4046a7 452->482 453->454 460 40458c-404590 454->460 455->422 460->461 465 404592-404598 460->465 461->427 468 4045d8-4045da 461->468 462->460 477 404586-404588 462->477 463->452 464->452 474 40466c 464->474 469 4045a4-4045ac 465->469 470 40459a-4045a0 465->470 466->432 468->427 475 4045b6-4045bd 469->475 476 4045ae-4045b2 469->476 470->469 474->452 478 4045c7-4045cc 475->478 479 4045bf-4045c3 475->479 476->475 477->460 478->447 479->478 484 4047a2-4047a7 481->484 485 4046c9-40477e GetClientRect call 40253c call 4024bf call 403237 481->485 482->481 487 4047a9-4047ab 484->487 488 4047af 484->488 497 404782-40479a RedrawWindow 485->497 487->488 488->418 497->484 498 40479c-40479e 497->498 498->484
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000002.2713696305.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713655394.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713743498.000000000040E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713794372.0000000000410000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713880336.0000000000411000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: AXWIN
                                                                                                                                                                                                                                          • API String ID: 0-1948516679
                                                                                                                                                                                                                                          • Opcode ID: 29b47ff977883ad234e927c2da6d7abc7687d5a6c2c032b68ea4efb225e3d3c3
                                                                                                                                                                                                                                          • Instruction ID: 8a837ab6d25e92d74b3a4ad2e440ee3dab00f482d83e3c825d564be163418add
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 29b47ff977883ad234e927c2da6d7abc7687d5a6c2c032b68ea4efb225e3d3c3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 25C118B4600205EFDB14DFA4C888FAAB7B9FF49304F104869F656EB290DB39E911CB54
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00402699 Relevance: 4.6, APIs: 3, Instructions: 91COMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 520 402699-4026db call 401e60 call 403872 523 4026dd-4026df 520->523 524 4026e1-4026e9 523->524 525 40274b-402750 523->525 526 4026eb-4026fc call 4025ce 524->526 527 4026fe-402729 GetWindowLongW call 4025ce 524->527 528 402772-402775 525->528 529 402752-402757 525->529 537 40274a 526->537 538 402746 527->538 539 40272b-402736 GetWindowLongW 527->539 530 402778-40277e 528->530 529->528 533 402759-402770 529->533 533->530 537->525 538->537 539->538 540 402738-402740 SetWindowLongW 539->540 540->538
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetWindowLongW.USER32(?,000000FC), ref: 0040270A
                                                                                                                                                                                                                                          • GetWindowLongW.USER32(?,000000FC,00000082,?,?), ref: 00402731
                                                                                                                                                                                                                                          • SetWindowLongW.USER32(?,000000FC,?), ref: 00402740
                                                                                                                                                                                                                                            • Part of subcall function 004025CE: CallWindowProcW.USER32(?,?,?,?,?,0040271D,00000082,?,?), ref: 004025E0
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000002.2713696305.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713655394.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713743498.000000000040E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713794372.0000000000410000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713880336.0000000000411000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Window$Long$CallProc
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 513923721-0
                                                                                                                                                                                                                                          • Opcode ID: 713e5293f32b740ccc224e7f7f3fdbffb754589d54674d24331193bdcf9e443b
                                                                                                                                                                                                                                          • Instruction ID: c0f1bdf2ce3a09bcd09b47fbf119f8d16fc3005d209b667ff417e4797591b63f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 713e5293f32b740ccc224e7f7f3fdbffb754589d54674d24331193bdcf9e443b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 71315971500609AFCB20DF69CD84D9BBBF5FF48710B10892AF86AA72A0D774E910DF54
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 004087BA Relevance: 4.6, APIs: 3, Instructions: 91COMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 542 4087ba-4087da 543 4087e6-4087fc 542->543 544 4087dc-4087e1 542->544 546 40881c-40881f 543->546 547 4087fe 543->547 545 4088a3-4088a5 544->545 549 408821-408826 546->549 550 408845-408870 #8 546->550 548 408801-408817 547->548 548->548 553 408819 548->553 554 408829-408840 549->554 551 408872 550->551 552 408875-4088a2 #146 #9 550->552 551->552 552->545 553->546 554->554 555 408842 554->555 555->550
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000002.2713696305.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713655394.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713743498.000000000040E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713794372.0000000000410000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713880336.0000000000411000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: #146
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3271177733-0
                                                                                                                                                                                                                                          • Opcode ID: c90ff86f82d954e237be4d553b6f639e44342477417984bdd1d81dbc522fe553
                                                                                                                                                                                                                                          • Instruction ID: eb3e1758e0a9507f5cb38740330085687dcefa2959cf672bf3c3e8e3f8e27f85
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c90ff86f82d954e237be4d553b6f639e44342477417984bdd1d81dbc522fe553
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 62313A72A00209DFDB04CFA8C9809EEB7F9FF49311B50C62AE955E7254D738E911CBA4
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00409A13 Relevance: 3.1, APIs: 2, Instructions: 68timeCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 004080BF: EnterCriticalSection.KERNEL32(0041024C,0041025C,00000000,7693A7D0,0041025C), ref: 004080D6
                                                                                                                                                                                                                                            • Part of subcall function 004080BF: GetCurrentThreadId.KERNEL32 ref: 004080DC
                                                                                                                                                                                                                                            • Part of subcall function 004080BF: LeaveCriticalSection.KERNEL32(0041024C,?,?), ref: 004080F8
                                                                                                                                                                                                                                          • SetTimer.USER32(00000000,00000000,0001D4C0,00406480,?,00000000,00000000,?,7693A7D0,0041025C), ref: 00409AB0
                                                                                                                                                                                                                                          • IsWindow.USER32(?), ref: 00409AC3
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000002.2713696305.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713655394.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713743498.000000000040E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713794372.0000000000410000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713880336.0000000000411000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CriticalSection$CurrentEnterLeaveThreadTimerWindow
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1852797959-0
                                                                                                                                                                                                                                          • Opcode ID: 584e8c5aa9ba8231c555835d596f9efe1915d81030b337a812fc3b39fce041eb
                                                                                                                                                                                                                                          • Instruction ID: 8fa7681320ebb0343f58c68049be1fe6cc87afb05af6ec14704baaf3ab520f0a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 584e8c5aa9ba8231c555835d596f9efe1915d81030b337a812fc3b39fce041eb
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C1215E71A11218ABCB04EF66DC419EEBBB8BF44744F00443FF806B7291DB789A44CB99
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00404D11 Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • SetLastError.KERNEL32(0000000E,00000000,00000000), ref: 00404D29
                                                                                                                                                                                                                                          • CreateWindowExW.USER32(?,00000000,?,?,?,?,?,?,?,00000000,?,004102E0,?), ref: 00404D97
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000002.2713696305.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713655394.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713743498.000000000040E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713794372.0000000000410000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713880336.0000000000411000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CreateErrorLastWindow
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3732789607-0
                                                                                                                                                                                                                                          • Opcode ID: b8f603c60984adcb040896fc83b973f036cc2853cbe9c367267f13c6c4b58df6
                                                                                                                                                                                                                                          • Instruction ID: 23e584fcbe498f54003a1ca104303e530149ad01adc9a77cb35aa0601e9a552d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b8f603c60984adcb040896fc83b973f036cc2853cbe9c367267f13c6c4b58df6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8C118671100205AFDB109F55DD09FEB37A8EF88714F01812AFD04A61A0D7B8ECA0DBA4
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00408765 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • DestroyWindow.USER32(?), ref: 0040878B
                                                                                                                                                                                                                                          • SetLastError.KERNEL32(00000000), ref: 00408795
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000002.2713696305.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713655394.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713743498.000000000040E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713794372.0000000000410000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713880336.0000000000411000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: DestroyErrorLastWindow
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1182162058-0
                                                                                                                                                                                                                                          • Opcode ID: 13cb1a21998828a0ff01ff8929e8335e4e59032de154602199cd8523b76848e4
                                                                                                                                                                                                                                          • Instruction ID: c08aace90d9d155b25631d9624727e5b74fa2dd3822c802a65f8e44787599a17
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 13cb1a21998828a0ff01ff8929e8335e4e59032de154602199cd8523b76848e4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FEF02732100619ABCB025F51DE0489A37A9BF48320B11883AFA95A7190CF78C4619B64
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00403691 Relevance: 1.6, APIs: 1, Instructions: 128COMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • DestroyAcceleratorTable.USER32(?), ref: 004037BF
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000002.2713696305.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713655394.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713743498.000000000040E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713794372.0000000000410000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713880336.0000000000411000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AcceleratorDestroyTable
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1151768253-0
                                                                                                                                                                                                                                          • Opcode ID: d5a5ff47f7fca9697c4b34f1172c74ca9dd41a202af6de77666631eaa1e72db9
                                                                                                                                                                                                                                          • Instruction ID: bd8dcc71be209c1aaf0286c787e1f85acf31303748d64f4bb8fb4ee345a942a6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d5a5ff47f7fca9697c4b34f1172c74ca9dd41a202af6de77666631eaa1e72db9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4741F5B56007049FD720CFA5C8C8E6ABBE9BF49715B64486DE58ADB390CB35ED41CB10
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00409040 Relevance: 1.6, APIs: 1, Instructions: 92COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetDlgItem.USER32(80004005,00000000), ref: 00409087
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000002.2713696305.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713655394.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713743498.000000000040E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713794372.0000000000410000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713880336.0000000000411000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Item
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3207170592-0
                                                                                                                                                                                                                                          • Opcode ID: 3f18e9e906bab45c8685b6b917ccc9b06c72c23cf81ae2c846783f22109e8f32
                                                                                                                                                                                                                                          • Instruction ID: 13bd88404443163367508c984ae522153f40d1015f77749744c21f74998da7d4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3f18e9e906bab45c8685b6b917ccc9b06c72c23cf81ae2c846783f22109e8f32
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3F31A7B2500205BFEB21DB51C948EABB7FCAF08314F10857EE545A7592D778ED00DB59
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 004084DE Relevance: 1.6, APIs: 1, Instructions: 77COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • SetWindowLongW.USER32(?,00000000,?), ref: 00408567
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000002.2713696305.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713655394.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713743498.000000000040E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713794372.0000000000410000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713880336.0000000000411000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: LongWindow
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1378638983-0
                                                                                                                                                                                                                                          • Opcode ID: 8d850fe71e01131697ee6bc55998beef8a9505c8079448304663803837ab81e7
                                                                                                                                                                                                                                          • Instruction ID: ae59f7df9c0a4f2459e8fc5229747c2afea62d83eabb45592b4286403104249f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8d850fe71e01131697ee6bc55998beef8a9505c8079448304663803837ab81e7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 85217C71500709AFCF34CF19DA8499BBBB5EB48350F10492FF986A22A0CA35E950CB96
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00408457 Relevance: 1.5, APIs: 1, Instructions: 33COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?), ref: 00408498
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000002.2713696305.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713655394.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713743498.000000000040E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713794372.0000000000410000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713880336.0000000000411000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CreateWindow
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 716092398-0
                                                                                                                                                                                                                                          • Opcode ID: 733685e390a2b056ab4fe0e4ab208e25774e1898536d9b84cca54593640f54bd
                                                                                                                                                                                                                                          • Instruction ID: fb28f1a737edee0979104a613595b2e7c02902fc453f39d16e2c15e148530295
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 733685e390a2b056ab4fe0e4ab208e25774e1898536d9b84cca54593640f54bd
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C5F0B736200209AFDF018F99DD08DAABBAAEF98710B05C16AF94497231D771EC61DB54
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00404DD5 Relevance: 1.5, APIs: 1, Instructions: 16COMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • DestroyWindow.USER32(?,?,00404C59), ref: 00404DF1
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000002.2713696305.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713655394.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713743498.000000000040E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713794372.0000000000410000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713880336.0000000000411000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: DestroyWindow
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3375834691-0
                                                                                                                                                                                                                                          • Opcode ID: 51c17b20d3d2a88c36a97f0e2ad943eb09cae2435234225df9c28c5dcf237b31
                                                                                                                                                                                                                                          • Instruction ID: bc77e311b85b6884efc117d6602258b0553ca57052aa71ea80e5fe2c51deb040
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 51c17b20d3d2a88c36a97f0e2ad943eb09cae2435234225df9c28c5dcf237b31
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3ED05B715016308FC7305B15D54879773A89F44711B05049DE546E7250C779EC41C694
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00401207 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000002.2713696305.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713655394.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713743498.000000000040E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713794372.0000000000410000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713880336.0000000000411000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b72ae8df51ca284167ad988879b0944e679f12e67a9bac7833b9ca42618ac1db
                                                                                                                                                                                                                                          • Instruction ID: 9b506291d3be6ffbcef3486986d8e49f406ff68285985f6b62ab30ca92e459f2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b72ae8df51ca284167ad988879b0944e679f12e67a9bac7833b9ca42618ac1db
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 89D05E31204251EBC7205F64D804747B6E4AB6035AF10487EF188F2160D3788C90CB99
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 004025CE Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • CallWindowProcW.USER32(?,?,?,?,?,0040271D,00000082,?,?), ref: 004025E0
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000002.2713696305.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713655394.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713743498.000000000040E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713794372.0000000000410000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713880336.0000000000411000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CallProcWindow
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2714655100-0
                                                                                                                                                                                                                                          • Opcode ID: 97da41aad94608c33733026655c61b8724f862aab887f979ffb77401b2f7db6f
                                                                                                                                                                                                                                          • Instruction ID: b3e6de1187edf766203cb830e5bc3f6da9e763212cb2187e0bd32a6ab99e35dc
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 97da41aad94608c33733026655c61b8724f862aab887f979ffb77401b2f7db6f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BBC0017A418200FFCA025B91DE04D0ABFB2BB99325B15C959B2A95813587338432EB56
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 004011A0 Relevance: 1.5, APIs: 1, Instructions: 7timeCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • SetTimer.USER32(?,00000E10,00002710,Function_00001003), ref: 004011B6
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000002.2713696305.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713655394.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713743498.000000000040E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713794372.0000000000410000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713880336.0000000000411000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Timer
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2870079774-0
                                                                                                                                                                                                                                          • Opcode ID: 1b92f00fb01cc38920f9c79b49003e9c4d15ada4fdaeb070c7b9beafb973ff90
                                                                                                                                                                                                                                          • Instruction ID: c2745fd6754d8123ad5fd69fe5dbf6a0731100f43221d42fb5af36077452cb2c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1b92f00fb01cc38920f9c79b49003e9c4d15ada4fdaeb070c7b9beafb973ff90
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9DC09B31244240BFD6058744DE4AF057751AB50B01F058C597144B90F182B194B0D608
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0040AADB Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • ___security_init_cookie.LIBCMT ref: 0040AADE
                                                                                                                                                                                                                                            • Part of subcall function 0040AA2E: GetCommandLineW.KERNEL32 ref: 0040AA36
                                                                                                                                                                                                                                            • Part of subcall function 0040AA2E: ExitProcess.KERNEL32 ref: 0040AA44
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000002.2713696305.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713655394.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713743498.000000000040E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713794372.0000000000410000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713880336.0000000000411000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CommandExitLineProcess___security_init_cookie
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3548331429-0
                                                                                                                                                                                                                                          • Opcode ID: c418a67ab5f6989a22402851831cc5b7807ab5d621d127b4b86a12191cfd9a51
                                                                                                                                                                                                                                          • Instruction ID: a8543af65a1af56ef700c66af90be35db71b9d5d39d0cb7726e9a32337e903a9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c418a67ab5f6989a22402851831cc5b7807ab5d621d127b4b86a12191cfd9a51
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3CA002262A8B4C45945073EB6693559764C4A4061C7C0117FB61D276C31C6D78B096AF
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00401181 Relevance: 1.5, APIs: 1, Instructions: 4windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • IsDialogMessageW.USER32(?,?), ref: 00401188
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000002.2713696305.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713655394.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713743498.000000000040E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713794372.0000000000410000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713880336.0000000000411000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: DialogMessage
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 547518314-0
                                                                                                                                                                                                                                          • Opcode ID: 84ed853faf3de1409db4ca285aefb8fe05b5c97159b81708e817ed3d62f89e00
                                                                                                                                                                                                                                          • Instruction ID: 4ca3c04b592240b7c47eaf775423c93a4427fa20a5513f54482381bfa1aa56c3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 84ed853faf3de1409db4ca285aefb8fe05b5c97159b81708e817ed3d62f89e00
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4BA00176805240ABCF029B61EE0981AFA66ABA4705B21C8A9E2556517487328831EF2A
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00401191 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • DestroyWindow.USER32(?,00409AD7,00000002), ref: 00401194
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000002.2713696305.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713655394.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713743498.000000000040E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713794372.0000000000410000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713880336.0000000000411000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: DestroyWindow
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3375834691-0
                                                                                                                                                                                                                                          • Opcode ID: b0863944a378dab23152ef8535282dc6a05cb1383cd241958c0948688066d7dc
                                                                                                                                                                                                                                          • Instruction ID: ea7ed41d7021b4b7818eac619a2553265418cfbb465b58d446217103fc14ecee
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b0863944a378dab23152ef8535282dc6a05cb1383cd241958c0948688066d7dc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 41A00132004041DBD6093B12EF09404BB39AB8120671589F8D01664031877689A69A49
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 07FC89F8 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2661920533.0000000007FC8000.00000010.00000800.00020000.00000000.sdmp, Offset: 07FC7000, based on PE: false
                                                                                                                                                                                                                                          • Associated: 00000009.00000003.2661533481.0000000007FC7000.00000010.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_7fc7000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: fabcca14fa0a0b623ef26b5e308af8a05cb05556a2d6e0f9731adf8981ce4071
                                                                                                                                                                                                                                          • Instruction ID: 4386aeb74342a16494a213a570618fd8f1c5ed2f4c2e6da4cdfc44bbed47d3f6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fabcca14fa0a0b623ef26b5e308af8a05cb05556a2d6e0f9731adf8981ce4071
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4C012BB1B042029FE710CE68C994B61F7A5EB45755F1EC0EDD8044B286C771DC82C7B0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 07FC89F8 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2661920533.0000000007FC8000.00000010.00000800.00020000.00000000.sdmp, Offset: 07FC8000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_7fc7000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 87c60a1f3c9e43212d4cb5a9d10fd80077f44e16f43be18f5325c9e1a536d0af
                                                                                                                                                                                                                                          • Instruction ID: 4386aeb74342a16494a213a570618fd8f1c5ed2f4c2e6da4cdfc44bbed47d3f6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 87c60a1f3c9e43212d4cb5a9d10fd80077f44e16f43be18f5325c9e1a536d0af
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4C012BB1B042029FE710CE68C994B61F7A5EB45755F1EC0EDD8044B286C771DC82C7B0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 07E3B2F0 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2662963113.0000000007E3B000.00000010.00000800.00020000.00000000.sdmp, Offset: 07E3B000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_7e3a000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: cc4250b89a3a6444882d87617f1a563737670f3469a3c58b92ddd5e081807c65
                                                                                                                                                                                                                                          • Instruction ID: e8597a936bacef3ae750867a8b1d42d3fb7deccf568f47b643f924650a1cb3d9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cc4250b89a3a6444882d87617f1a563737670f3469a3c58b92ddd5e081807c65
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 23D05E326082428FC701CF4CE8A14C2FBA4FF5523570482D7E89887522D71199248B81
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 07E3B2F0 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2662963113.0000000007E3B000.00000010.00000800.00020000.00000000.sdmp, Offset: 07E3A000, based on PE: false
                                                                                                                                                                                                                                          • Associated: 00000009.00000003.2662113447.0000000007E3A000.00000010.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_7e3a000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: cc4250b89a3a6444882d87617f1a563737670f3469a3c58b92ddd5e081807c65
                                                                                                                                                                                                                                          • Instruction ID: e8597a936bacef3ae750867a8b1d42d3fb7deccf568f47b643f924650a1cb3d9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cc4250b89a3a6444882d87617f1a563737670f3469a3c58b92ddd5e081807c65
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 23D05E326082428FC701CF4CE8A14C2FBA4FF5523570482D7E89887522D71199248B81
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 07FC8B42 Relevance: .0, Instructions: 12COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2661920533.0000000007FC8000.00000010.00000800.00020000.00000000.sdmp, Offset: 07FC7000, based on PE: false
                                                                                                                                                                                                                                          • Associated: 00000009.00000003.2661533481.0000000007FC7000.00000010.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_7fc7000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: bef16844f6a293a124efd518ce2404e306181fed7c44e3180bad4bf4184a0a8a
                                                                                                                                                                                                                                          • Instruction ID: 561e9e471ceedd14ecf88631607740f492023dd2e00fa6882ab5a3019b4278a4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bef16844f6a293a124efd518ce2404e306181fed7c44e3180bad4bf4184a0a8a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 10B09B237691255E151054DD7984156D388DA498B971503BBDD45C3101D5838D1541D1
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 07FC8B42 Relevance: .0, Instructions: 12COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2661920533.0000000007FC8000.00000010.00000800.00020000.00000000.sdmp, Offset: 07FC8000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_7fc7000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: bef16844f6a293a124efd518ce2404e306181fed7c44e3180bad4bf4184a0a8a
                                                                                                                                                                                                                                          • Instruction ID: 561e9e471ceedd14ecf88631607740f492023dd2e00fa6882ab5a3019b4278a4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bef16844f6a293a124efd518ce2404e306181fed7c44e3180bad4bf4184a0a8a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 10B09B237691255E151054DD7984156D388DA498B971503BBDD45C3101D5838D1541D1
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 07E3C46D Relevance: .0, Instructions: 10COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2662988237.0000000007E3C000.00000010.00000800.00020000.00000000.sdmp, Offset: 07E3B000, based on PE: false
                                                                                                                                                                                                                                          • Associated: 00000009.00000003.2662963113.0000000007E3B000.00000010.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_7e3a000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: de091a977359e538254f0ce15d312fcb72f3f21619334925024258480a651179
                                                                                                                                                                                                                                          • Instruction ID: a33179d3b4226b7d94b96452bd01c5b0fb410758e7e2046956c37cd04bb22a05
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: de091a977359e538254f0ce15d312fcb72f3f21619334925024258480a651179
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 69D012B59163049FCB41CF68CC058EABBF0FF59210B40858AB868C7262C330EA18DBA1
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 07E3C46D Relevance: .0, Instructions: 10COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2662988237.0000000007E3C000.00000010.00000800.00020000.00000000.sdmp, Offset: 07E3A000, based on PE: false
                                                                                                                                                                                                                                          • Associated: 00000009.00000003.2662113447.0000000007E3A000.00000010.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_7e3a000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: de091a977359e538254f0ce15d312fcb72f3f21619334925024258480a651179
                                                                                                                                                                                                                                          • Instruction ID: a33179d3b4226b7d94b96452bd01c5b0fb410758e7e2046956c37cd04bb22a05
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: de091a977359e538254f0ce15d312fcb72f3f21619334925024258480a651179
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 69D012B59163049FCB41CF68CC058EABBF0FF59210B40858AB868C7262C330EA18DBA1
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 07E3C46D Relevance: .0, Instructions: 10COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2662988237.0000000007E3C000.00000010.00000800.00020000.00000000.sdmp, Offset: 07E3C000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_7e3a000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: de091a977359e538254f0ce15d312fcb72f3f21619334925024258480a651179
                                                                                                                                                                                                                                          • Instruction ID: a33179d3b4226b7d94b96452bd01c5b0fb410758e7e2046956c37cd04bb22a05
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: de091a977359e538254f0ce15d312fcb72f3f21619334925024258480a651179
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 69D012B59163049FCB41CF68CC058EABBF0FF59210B40858AB868C7262C330EA18DBA1
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 07E41A59 Relevance: .0, Instructions: 8COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2662837291.0000000007E41000.00000010.00000800.00020000.00000000.sdmp, Offset: 07E41000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_7e3a000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 49aaff0283ab69531927063a50c9cf9398cbf42aa9a196ba733ba04ef32dd776
                                                                                                                                                                                                                                          • Instruction ID: 540c651b1f6e9948d1cf8b72affe9db83d4b9d729ba61b166833758a18e1a8a6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 49aaff0283ab69531927063a50c9cf9398cbf42aa9a196ba733ba04ef32dd776
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 60C09B77225114CB8711CB44E8408DEB3E45FC9750F155555A19687511D770ED5447C1
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 07E41A59 Relevance: .0, Instructions: 8COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2662837291.0000000007E41000.00000010.00000800.00020000.00000000.sdmp, Offset: 07E3A000, based on PE: false
                                                                                                                                                                                                                                          • Associated: 00000009.00000003.2662113447.0000000007E3A000.00000010.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_7e3a000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 49aaff0283ab69531927063a50c9cf9398cbf42aa9a196ba733ba04ef32dd776
                                                                                                                                                                                                                                          • Instruction ID: 540c651b1f6e9948d1cf8b72affe9db83d4b9d729ba61b166833758a18e1a8a6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 49aaff0283ab69531927063a50c9cf9398cbf42aa9a196ba733ba04ef32dd776
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 60C09B77225114CB8711CB44E8408DEB3E45FC9750F155555A19687511D770ED5447C1
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF0FCF Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663316670.0000000003CF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf0000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction ID: 69e1db51e2d2cda2f78fdd9b351e93b36117048fb80b53cc6b0415a34cd4a538
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF07C7 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663316670.0000000003CF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf0000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction ID: 69e1db51e2d2cda2f78fdd9b351e93b36117048fb80b53cc6b0415a34cd4a538
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF0FD7 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663316670.0000000003CF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf0000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction ID: 69e1db51e2d2cda2f78fdd9b351e93b36117048fb80b53cc6b0415a34cd4a538
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF0FE7 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663316670.0000000003CF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf0000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction ID: 69e1db51e2d2cda2f78fdd9b351e93b36117048fb80b53cc6b0415a34cd4a538
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF03F7 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663316670.0000000003CF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf0000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction ID: 69e1db51e2d2cda2f78fdd9b351e93b36117048fb80b53cc6b0415a34cd4a538
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF0787 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663316670.0000000003CF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf0000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction ID: 69e1db51e2d2cda2f78fdd9b351e93b36117048fb80b53cc6b0415a34cd4a538
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF07AF Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663316670.0000000003CF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf0000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction ID: 69e1db51e2d2cda2f78fdd9b351e93b36117048fb80b53cc6b0415a34cd4a538
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF0BAF Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663316670.0000000003CF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf0000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction ID: 69e1db51e2d2cda2f78fdd9b351e93b36117048fb80b53cc6b0415a34cd4a538
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF07A7 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663316670.0000000003CF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf0000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction ID: 69e1db51e2d2cda2f78fdd9b351e93b36117048fb80b53cc6b0415a34cd4a538
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF0FBF Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663316670.0000000003CF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf0000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction ID: 69e1db51e2d2cda2f78fdd9b351e93b36117048fb80b53cc6b0415a34cd4a538
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF07BF Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663316670.0000000003CF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf0000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction ID: 69e1db51e2d2cda2f78fdd9b351e93b36117048fb80b53cc6b0415a34cd4a538
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF07B7 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663316670.0000000003CF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf0000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction ID: 69e1db51e2d2cda2f78fdd9b351e93b36117048fb80b53cc6b0415a34cd4a538
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF0BB7 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663316670.0000000003CF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf0000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction ID: 69e1db51e2d2cda2f78fdd9b351e93b36117048fb80b53cc6b0415a34cd4a538
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF074F Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663316670.0000000003CF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf0000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction ID: 69e1db51e2d2cda2f78fdd9b351e93b36117048fb80b53cc6b0415a34cd4a538
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF0B47 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663316670.0000000003CF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf0000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction ID: 69e1db51e2d2cda2f78fdd9b351e93b36117048fb80b53cc6b0415a34cd4a538
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF036F Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663316670.0000000003CF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf0000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction ID: 69e1db51e2d2cda2f78fdd9b351e93b36117048fb80b53cc6b0415a34cd4a538
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF0767 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663316670.0000000003CF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf0000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction ID: 69e1db51e2d2cda2f78fdd9b351e93b36117048fb80b53cc6b0415a34cd4a538
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF0B67 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663316670.0000000003CF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf0000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction ID: 69e1db51e2d2cda2f78fdd9b351e93b36117048fb80b53cc6b0415a34cd4a538
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF0B7F Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663316670.0000000003CF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf0000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction ID: 69e1db51e2d2cda2f78fdd9b351e93b36117048fb80b53cc6b0415a34cd4a538
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF077F Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663316670.0000000003CF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf0000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction ID: 69e1db51e2d2cda2f78fdd9b351e93b36117048fb80b53cc6b0415a34cd4a538
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF06CF Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663316670.0000000003CF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf0000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction ID: 69e1db51e2d2cda2f78fdd9b351e93b36117048fb80b53cc6b0415a34cd4a538
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF0ECF Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663316670.0000000003CF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf0000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction ID: 69e1db51e2d2cda2f78fdd9b351e93b36117048fb80b53cc6b0415a34cd4a538
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF06C7 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663316670.0000000003CF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf0000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction ID: 69e1db51e2d2cda2f78fdd9b351e93b36117048fb80b53cc6b0415a34cd4a538
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF0ED7 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663316670.0000000003CF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf0000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction ID: 69e1db51e2d2cda2f78fdd9b351e93b36117048fb80b53cc6b0415a34cd4a538
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF06D7 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663316670.0000000003CF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf0000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction ID: 69e1db51e2d2cda2f78fdd9b351e93b36117048fb80b53cc6b0415a34cd4a538
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF0EE7 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663316670.0000000003CF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf0000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction ID: 69e1db51e2d2cda2f78fdd9b351e93b36117048fb80b53cc6b0415a34cd4a538
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF028F Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663316670.0000000003CF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf0000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction ID: 69e1db51e2d2cda2f78fdd9b351e93b36117048fb80b53cc6b0415a34cd4a538
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF0287 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663316670.0000000003CF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf0000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction ID: 69e1db51e2d2cda2f78fdd9b351e93b36117048fb80b53cc6b0415a34cd4a538
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF02AF Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663316670.0000000003CF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf0000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction ID: 69e1db51e2d2cda2f78fdd9b351e93b36117048fb80b53cc6b0415a34cd4a538
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF06A7 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663316670.0000000003CF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf0000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction ID: 69e1db51e2d2cda2f78fdd9b351e93b36117048fb80b53cc6b0415a34cd4a538
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF02A7 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663316670.0000000003CF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf0000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction ID: 69e1db51e2d2cda2f78fdd9b351e93b36117048fb80b53cc6b0415a34cd4a538
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF02B7 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663316670.0000000003CF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf0000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction ID: 69e1db51e2d2cda2f78fdd9b351e93b36117048fb80b53cc6b0415a34cd4a538
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF0647 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663316670.0000000003CF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf0000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction ID: 69e1db51e2d2cda2f78fdd9b351e93b36117048fb80b53cc6b0415a34cd4a538
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF0A57 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663316670.0000000003CF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf0000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction ID: 69e1db51e2d2cda2f78fdd9b351e93b36117048fb80b53cc6b0415a34cd4a538
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF0E57 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663316670.0000000003CF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf0000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction ID: 69e1db51e2d2cda2f78fdd9b351e93b36117048fb80b53cc6b0415a34cd4a538
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF067F Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663316670.0000000003CF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf0000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction ID: 69e1db51e2d2cda2f78fdd9b351e93b36117048fb80b53cc6b0415a34cd4a538
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF0617 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663316670.0000000003CF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf0000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction ID: 69e1db51e2d2cda2f78fdd9b351e93b36117048fb80b53cc6b0415a34cd4a538
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF0DCF Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663316670.0000000003CF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf0000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction ID: 69e1db51e2d2cda2f78fdd9b351e93b36117048fb80b53cc6b0415a34cd4a538
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF05C7 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663316670.0000000003CF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf0000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction ID: 69e1db51e2d2cda2f78fdd9b351e93b36117048fb80b53cc6b0415a34cd4a538
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF0DDF Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663316670.0000000003CF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf0000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction ID: 69e1db51e2d2cda2f78fdd9b351e93b36117048fb80b53cc6b0415a34cd4a538
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF09EF Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663316670.0000000003CF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf0000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction ID: 69e1db51e2d2cda2f78fdd9b351e93b36117048fb80b53cc6b0415a34cd4a538
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF05BF Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663316670.0000000003CF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf0000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction ID: 69e1db51e2d2cda2f78fdd9b351e93b36117048fb80b53cc6b0415a34cd4a538
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF05B7 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663316670.0000000003CF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf0000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction ID: 69e1db51e2d2cda2f78fdd9b351e93b36117048fb80b53cc6b0415a34cd4a538
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF095F Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663316670.0000000003CF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf0000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction ID: 69e1db51e2d2cda2f78fdd9b351e93b36117048fb80b53cc6b0415a34cd4a538
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF0957 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663316670.0000000003CF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf0000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction ID: 69e1db51e2d2cda2f78fdd9b351e93b36117048fb80b53cc6b0415a34cd4a538
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF0907 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663316670.0000000003CF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf0000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction ID: 69e1db51e2d2cda2f78fdd9b351e93b36117048fb80b53cc6b0415a34cd4a538
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF092F Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663316670.0000000003CF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf0000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction ID: 69e1db51e2d2cda2f78fdd9b351e93b36117048fb80b53cc6b0415a34cd4a538
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF0927 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663316670.0000000003CF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf0000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction ID: 69e1db51e2d2cda2f78fdd9b351e93b36117048fb80b53cc6b0415a34cd4a538
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF0CCF Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663316670.0000000003CF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf0000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction ID: 69e1db51e2d2cda2f78fdd9b351e93b36117048fb80b53cc6b0415a34cd4a538
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF0CDF Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663316670.0000000003CF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf0000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction ID: 69e1db51e2d2cda2f78fdd9b351e93b36117048fb80b53cc6b0415a34cd4a538
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF00FF Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663316670.0000000003CF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf0000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction ID: 69e1db51e2d2cda2f78fdd9b351e93b36117048fb80b53cc6b0415a34cd4a538
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF08F7 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663316670.0000000003CF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf0000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction ID: 69e1db51e2d2cda2f78fdd9b351e93b36117048fb80b53cc6b0415a34cd4a538
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF009F Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663316670.0000000003CF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf0000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction ID: 69e1db51e2d2cda2f78fdd9b351e93b36117048fb80b53cc6b0415a34cd4a538
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF049F Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663316670.0000000003CF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf0000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction ID: 69e1db51e2d2cda2f78fdd9b351e93b36117048fb80b53cc6b0415a34cd4a538
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF0C9F Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663316670.0000000003CF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf0000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction ID: 69e1db51e2d2cda2f78fdd9b351e93b36117048fb80b53cc6b0415a34cd4a538
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF0097 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663316670.0000000003CF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf0000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction ID: 69e1db51e2d2cda2f78fdd9b351e93b36117048fb80b53cc6b0415a34cd4a538
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF00A7 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663316670.0000000003CF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf0000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction ID: 69e1db51e2d2cda2f78fdd9b351e93b36117048fb80b53cc6b0415a34cd4a538
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF0CA7 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663316670.0000000003CF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf0000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction ID: 69e1db51e2d2cda2f78fdd9b351e93b36117048fb80b53cc6b0415a34cd4a538
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF00B7 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663316670.0000000003CF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf0000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction ID: 69e1db51e2d2cda2f78fdd9b351e93b36117048fb80b53cc6b0415a34cd4a538
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF0C4F Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663316670.0000000003CF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf0000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction ID: 69e1db51e2d2cda2f78fdd9b351e93b36117048fb80b53cc6b0415a34cd4a538
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF0C57 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663316670.0000000003CF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf0000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction ID: 69e1db51e2d2cda2f78fdd9b351e93b36117048fb80b53cc6b0415a34cd4a538
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF047F Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663316670.0000000003CF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf0000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction ID: 69e1db51e2d2cda2f78fdd9b351e93b36117048fb80b53cc6b0415a34cd4a538
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF0C7F Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663316670.0000000003CF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf0000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction ID: 69e1db51e2d2cda2f78fdd9b351e93b36117048fb80b53cc6b0415a34cd4a538
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF0C77 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663316670.0000000003CF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf0000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction ID: 69e1db51e2d2cda2f78fdd9b351e93b36117048fb80b53cc6b0415a34cd4a538
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF080F Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663316670.0000000003CF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf0000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction ID: 69e1db51e2d2cda2f78fdd9b351e93b36117048fb80b53cc6b0415a34cd4a538
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF0817 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663316670.0000000003CF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf0000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction ID: 69e1db51e2d2cda2f78fdd9b351e93b36117048fb80b53cc6b0415a34cd4a538
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF043F Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663316670.0000000003CF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf0000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction ID: 69e1db51e2d2cda2f78fdd9b351e93b36117048fb80b53cc6b0415a34cd4a538
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbb47e5f8a4d83fff8aa7690c7a4c263a7eddb75cb4716c1093d2a0acb12c521
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF2FD7 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663249258.0000000003CF2000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF2000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf2000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b5b4e7b085418a4970522563d40a1dba21f451310e893cd9a9d89aa7f9c6a670
                                                                                                                                                                                                                                          • Instruction ID: 8703214aac619a5ec7a2d61d777abb65e9f7aea0a0258a2f976e1a24d1fcb9ad
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b5b4e7b085418a4970522563d40a1dba21f451310e893cd9a9d89aa7f9c6a670
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF2BD7 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663249258.0000000003CF2000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF2000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf2000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b5b4e7b085418a4970522563d40a1dba21f451310e893cd9a9d89aa7f9c6a670
                                                                                                                                                                                                                                          • Instruction ID: 8703214aac619a5ec7a2d61d777abb65e9f7aea0a0258a2f976e1a24d1fcb9ad
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b5b4e7b085418a4970522563d40a1dba21f451310e893cd9a9d89aa7f9c6a670
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF2B8F Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663249258.0000000003CF2000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF2000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf2000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b5b4e7b085418a4970522563d40a1dba21f451310e893cd9a9d89aa7f9c6a670
                                                                                                                                                                                                                                          • Instruction ID: 8703214aac619a5ec7a2d61d777abb65e9f7aea0a0258a2f976e1a24d1fcb9ad
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b5b4e7b085418a4970522563d40a1dba21f451310e893cd9a9d89aa7f9c6a670
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF2B87 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663249258.0000000003CF2000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF2000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf2000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b5b4e7b085418a4970522563d40a1dba21f451310e893cd9a9d89aa7f9c6a670
                                                                                                                                                                                                                                          • Instruction ID: 8703214aac619a5ec7a2d61d777abb65e9f7aea0a0258a2f976e1a24d1fcb9ad
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b5b4e7b085418a4970522563d40a1dba21f451310e893cd9a9d89aa7f9c6a670
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF2F9F Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663249258.0000000003CF2000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF2000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf2000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b5b4e7b085418a4970522563d40a1dba21f451310e893cd9a9d89aa7f9c6a670
                                                                                                                                                                                                                                          • Instruction ID: 8703214aac619a5ec7a2d61d777abb65e9f7aea0a0258a2f976e1a24d1fcb9ad
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b5b4e7b085418a4970522563d40a1dba21f451310e893cd9a9d89aa7f9c6a670
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF2BA7 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663249258.0000000003CF2000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF2000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf2000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b5b4e7b085418a4970522563d40a1dba21f451310e893cd9a9d89aa7f9c6a670
                                                                                                                                                                                                                                          • Instruction ID: 8703214aac619a5ec7a2d61d777abb65e9f7aea0a0258a2f976e1a24d1fcb9ad
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b5b4e7b085418a4970522563d40a1dba21f451310e893cd9a9d89aa7f9c6a670
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF2BBF Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663249258.0000000003CF2000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF2000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf2000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b5b4e7b085418a4970522563d40a1dba21f451310e893cd9a9d89aa7f9c6a670
                                                                                                                                                                                                                                          • Instruction ID: 8703214aac619a5ec7a2d61d777abb65e9f7aea0a0258a2f976e1a24d1fcb9ad
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b5b4e7b085418a4970522563d40a1dba21f451310e893cd9a9d89aa7f9c6a670
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF2F4F Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663249258.0000000003CF2000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF2000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf2000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b5b4e7b085418a4970522563d40a1dba21f451310e893cd9a9d89aa7f9c6a670
                                                                                                                                                                                                                                          • Instruction ID: 8703214aac619a5ec7a2d61d777abb65e9f7aea0a0258a2f976e1a24d1fcb9ad
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b5b4e7b085418a4970522563d40a1dba21f451310e893cd9a9d89aa7f9c6a670
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF2F47 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663249258.0000000003CF2000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF2000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf2000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b5b4e7b085418a4970522563d40a1dba21f451310e893cd9a9d89aa7f9c6a670
                                                                                                                                                                                                                                          • Instruction ID: 8703214aac619a5ec7a2d61d777abb65e9f7aea0a0258a2f976e1a24d1fcb9ad
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b5b4e7b085418a4970522563d40a1dba21f451310e893cd9a9d89aa7f9c6a670
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF2F57 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663249258.0000000003CF2000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF2000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf2000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b5b4e7b085418a4970522563d40a1dba21f451310e893cd9a9d89aa7f9c6a670
                                                                                                                                                                                                                                          • Instruction ID: 8703214aac619a5ec7a2d61d777abb65e9f7aea0a0258a2f976e1a24d1fcb9ad
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b5b4e7b085418a4970522563d40a1dba21f451310e893cd9a9d89aa7f9c6a670
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF2F1F Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663249258.0000000003CF2000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF2000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf2000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b5b4e7b085418a4970522563d40a1dba21f451310e893cd9a9d89aa7f9c6a670
                                                                                                                                                                                                                                          • Instruction ID: 8703214aac619a5ec7a2d61d777abb65e9f7aea0a0258a2f976e1a24d1fcb9ad
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b5b4e7b085418a4970522563d40a1dba21f451310e893cd9a9d89aa7f9c6a670
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF2B17 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663249258.0000000003CF2000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF2000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf2000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b5b4e7b085418a4970522563d40a1dba21f451310e893cd9a9d89aa7f9c6a670
                                                                                                                                                                                                                                          • Instruction ID: 8703214aac619a5ec7a2d61d777abb65e9f7aea0a0258a2f976e1a24d1fcb9ad
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b5b4e7b085418a4970522563d40a1dba21f451310e893cd9a9d89aa7f9c6a670
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF2B27 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663249258.0000000003CF2000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF2000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf2000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b5b4e7b085418a4970522563d40a1dba21f451310e893cd9a9d89aa7f9c6a670
                                                                                                                                                                                                                                          • Instruction ID: 8703214aac619a5ec7a2d61d777abb65e9f7aea0a0258a2f976e1a24d1fcb9ad
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b5b4e7b085418a4970522563d40a1dba21f451310e893cd9a9d89aa7f9c6a670
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF2EDF Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663249258.0000000003CF2000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF2000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf2000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b5b4e7b085418a4970522563d40a1dba21f451310e893cd9a9d89aa7f9c6a670
                                                                                                                                                                                                                                          • Instruction ID: 8703214aac619a5ec7a2d61d777abb65e9f7aea0a0258a2f976e1a24d1fcb9ad
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b5b4e7b085418a4970522563d40a1dba21f451310e893cd9a9d89aa7f9c6a670
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF2ED7 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663249258.0000000003CF2000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF2000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf2000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b5b4e7b085418a4970522563d40a1dba21f451310e893cd9a9d89aa7f9c6a670
                                                                                                                                                                                                                                          • Instruction ID: 8703214aac619a5ec7a2d61d777abb65e9f7aea0a0258a2f976e1a24d1fcb9ad
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b5b4e7b085418a4970522563d40a1dba21f451310e893cd9a9d89aa7f9c6a670
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF2EEF Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663249258.0000000003CF2000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF2000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf2000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b5b4e7b085418a4970522563d40a1dba21f451310e893cd9a9d89aa7f9c6a670
                                                                                                                                                                                                                                          • Instruction ID: 8703214aac619a5ec7a2d61d777abb65e9f7aea0a0258a2f976e1a24d1fcb9ad
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b5b4e7b085418a4970522563d40a1dba21f451310e893cd9a9d89aa7f9c6a670
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF2EB7 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663249258.0000000003CF2000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF2000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf2000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b5b4e7b085418a4970522563d40a1dba21f451310e893cd9a9d89aa7f9c6a670
                                                                                                                                                                                                                                          • Instruction ID: 8703214aac619a5ec7a2d61d777abb65e9f7aea0a0258a2f976e1a24d1fcb9ad
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b5b4e7b085418a4970522563d40a1dba21f451310e893cd9a9d89aa7f9c6a670
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF2E5F Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663249258.0000000003CF2000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF2000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf2000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b5b4e7b085418a4970522563d40a1dba21f451310e893cd9a9d89aa7f9c6a670
                                                                                                                                                                                                                                          • Instruction ID: 8703214aac619a5ec7a2d61d777abb65e9f7aea0a0258a2f976e1a24d1fcb9ad
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b5b4e7b085418a4970522563d40a1dba21f451310e893cd9a9d89aa7f9c6a670
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF2E3F Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663249258.0000000003CF2000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF2000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf2000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b5b4e7b085418a4970522563d40a1dba21f451310e893cd9a9d89aa7f9c6a670
                                                                                                                                                                                                                                          • Instruction ID: 8703214aac619a5ec7a2d61d777abb65e9f7aea0a0258a2f976e1a24d1fcb9ad
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b5b4e7b085418a4970522563d40a1dba21f451310e893cd9a9d89aa7f9c6a670
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF2E37 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663249258.0000000003CF2000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF2000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf2000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b5b4e7b085418a4970522563d40a1dba21f451310e893cd9a9d89aa7f9c6a670
                                                                                                                                                                                                                                          • Instruction ID: 8703214aac619a5ec7a2d61d777abb65e9f7aea0a0258a2f976e1a24d1fcb9ad
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b5b4e7b085418a4970522563d40a1dba21f451310e893cd9a9d89aa7f9c6a670
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF2D0F Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663249258.0000000003CF2000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF2000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf2000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b5b4e7b085418a4970522563d40a1dba21f451310e893cd9a9d89aa7f9c6a670
                                                                                                                                                                                                                                          • Instruction ID: 8703214aac619a5ec7a2d61d777abb65e9f7aea0a0258a2f976e1a24d1fcb9ad
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b5b4e7b085418a4970522563d40a1dba21f451310e893cd9a9d89aa7f9c6a670
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF2D07 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663249258.0000000003CF2000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF2000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf2000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b5b4e7b085418a4970522563d40a1dba21f451310e893cd9a9d89aa7f9c6a670
                                                                                                                                                                                                                                          • Instruction ID: 8703214aac619a5ec7a2d61d777abb65e9f7aea0a0258a2f976e1a24d1fcb9ad
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b5b4e7b085418a4970522563d40a1dba21f451310e893cd9a9d89aa7f9c6a670
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF2CCF Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663249258.0000000003CF2000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF2000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf2000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b5b4e7b085418a4970522563d40a1dba21f451310e893cd9a9d89aa7f9c6a670
                                                                                                                                                                                                                                          • Instruction ID: 8703214aac619a5ec7a2d61d777abb65e9f7aea0a0258a2f976e1a24d1fcb9ad
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b5b4e7b085418a4970522563d40a1dba21f451310e893cd9a9d89aa7f9c6a670
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF2CD7 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663249258.0000000003CF2000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF2000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf2000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b5b4e7b085418a4970522563d40a1dba21f451310e893cd9a9d89aa7f9c6a670
                                                                                                                                                                                                                                          • Instruction ID: 8703214aac619a5ec7a2d61d777abb65e9f7aea0a0258a2f976e1a24d1fcb9ad
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b5b4e7b085418a4970522563d40a1dba21f451310e893cd9a9d89aa7f9c6a670
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF2CFF Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663249258.0000000003CF2000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF2000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf2000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b5b4e7b085418a4970522563d40a1dba21f451310e893cd9a9d89aa7f9c6a670
                                                                                                                                                                                                                                          • Instruction ID: 8703214aac619a5ec7a2d61d777abb65e9f7aea0a0258a2f976e1a24d1fcb9ad
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b5b4e7b085418a4970522563d40a1dba21f451310e893cd9a9d89aa7f9c6a670
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF2CF7 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663249258.0000000003CF2000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF2000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf2000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b5b4e7b085418a4970522563d40a1dba21f451310e893cd9a9d89aa7f9c6a670
                                                                                                                                                                                                                                          • Instruction ID: 8703214aac619a5ec7a2d61d777abb65e9f7aea0a0258a2f976e1a24d1fcb9ad
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b5b4e7b085418a4970522563d40a1dba21f451310e893cd9a9d89aa7f9c6a670
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF17CF Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663282626.0000000003CF1000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF1000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf1000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction ID: 1c25e46da70b4571cff2c094991212d09de1d551783ccc68a5b8315f0004d8f5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF17C7 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663282626.0000000003CF1000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF1000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf1000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction ID: 1c25e46da70b4571cff2c094991212d09de1d551783ccc68a5b8315f0004d8f5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF1BDF Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663282626.0000000003CF1000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF1000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf1000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction ID: 1c25e46da70b4571cff2c094991212d09de1d551783ccc68a5b8315f0004d8f5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF1BD7 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663282626.0000000003CF1000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF1000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf1000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction ID: 1c25e46da70b4571cff2c094991212d09de1d551783ccc68a5b8315f0004d8f5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF17A7 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663282626.0000000003CF1000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF1000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf1000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction ID: 1c25e46da70b4571cff2c094991212d09de1d551783ccc68a5b8315f0004d8f5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF17BF Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663282626.0000000003CF1000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF1000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf1000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction ID: 1c25e46da70b4571cff2c094991212d09de1d551783ccc68a5b8315f0004d8f5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF1ECF Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663282626.0000000003CF1000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF1000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf1000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction ID: 1c25e46da70b4571cff2c094991212d09de1d551783ccc68a5b8315f0004d8f5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF1ED7 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663282626.0000000003CF1000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF1000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf1000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction ID: 1c25e46da70b4571cff2c094991212d09de1d551783ccc68a5b8315f0004d8f5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF168F Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663282626.0000000003CF1000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF1000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf1000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction ID: 1c25e46da70b4571cff2c094991212d09de1d551783ccc68a5b8315f0004d8f5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF1EBF Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663282626.0000000003CF1000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF1000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf1000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction ID: 1c25e46da70b4571cff2c094991212d09de1d551783ccc68a5b8315f0004d8f5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF1E4F Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663282626.0000000003CF1000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF1000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf1000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction ID: 1c25e46da70b4571cff2c094991212d09de1d551783ccc68a5b8315f0004d8f5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF165F Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663282626.0000000003CF1000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF1000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf1000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction ID: 1c25e46da70b4571cff2c094991212d09de1d551783ccc68a5b8315f0004d8f5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF160F Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663282626.0000000003CF1000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF1000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf1000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction ID: 1c25e46da70b4571cff2c094991212d09de1d551783ccc68a5b8315f0004d8f5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF1207 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663282626.0000000003CF1000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF1000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf1000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction ID: 1c25e46da70b4571cff2c094991212d09de1d551783ccc68a5b8315f0004d8f5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF19CF Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663282626.0000000003CF1000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF1000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf1000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction ID: 1c25e46da70b4571cff2c094991212d09de1d551783ccc68a5b8315f0004d8f5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF19C7 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663282626.0000000003CF1000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF1000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf1000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction ID: 1c25e46da70b4571cff2c094991212d09de1d551783ccc68a5b8315f0004d8f5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF11EF Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663282626.0000000003CF1000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF1000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf1000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction ID: 1c25e46da70b4571cff2c094991212d09de1d551783ccc68a5b8315f0004d8f5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF11E7 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663282626.0000000003CF1000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF1000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf1000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction ID: 1c25e46da70b4571cff2c094991212d09de1d551783ccc68a5b8315f0004d8f5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF15F7 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663282626.0000000003CF1000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF1000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf1000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction ID: 1c25e46da70b4571cff2c094991212d09de1d551783ccc68a5b8315f0004d8f5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF118F Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663282626.0000000003CF1000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF1000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf1000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction ID: 1c25e46da70b4571cff2c094991212d09de1d551783ccc68a5b8315f0004d8f5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF11BF Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663282626.0000000003CF1000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF1000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf1000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction ID: 1c25e46da70b4571cff2c094991212d09de1d551783ccc68a5b8315f0004d8f5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF115F Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663282626.0000000003CF1000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF1000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf1000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction ID: 1c25e46da70b4571cff2c094991212d09de1d551783ccc68a5b8315f0004d8f5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF195F Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663282626.0000000003CF1000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF1000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf1000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction ID: 1c25e46da70b4571cff2c094991212d09de1d551783ccc68a5b8315f0004d8f5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF1957 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663282626.0000000003CF1000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF1000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf1000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction ID: 1c25e46da70b4571cff2c094991212d09de1d551783ccc68a5b8315f0004d8f5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF156F Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663282626.0000000003CF1000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF1000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf1000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction ID: 1c25e46da70b4571cff2c094991212d09de1d551783ccc68a5b8315f0004d8f5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF116F Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663282626.0000000003CF1000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF1000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf1000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction ID: 1c25e46da70b4571cff2c094991212d09de1d551783ccc68a5b8315f0004d8f5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF1167 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663282626.0000000003CF1000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF1000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf1000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction ID: 1c25e46da70b4571cff2c094991212d09de1d551783ccc68a5b8315f0004d8f5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF1577 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663282626.0000000003CF1000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF1000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf1000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction ID: 1c25e46da70b4571cff2c094991212d09de1d551783ccc68a5b8315f0004d8f5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF1507 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663282626.0000000003CF1000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF1000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf1000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction ID: 1c25e46da70b4571cff2c094991212d09de1d551783ccc68a5b8315f0004d8f5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF151F Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663282626.0000000003CF1000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF1000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf1000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction ID: 1c25e46da70b4571cff2c094991212d09de1d551783ccc68a5b8315f0004d8f5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF14CF Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663282626.0000000003CF1000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF1000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf1000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction ID: 1c25e46da70b4571cff2c094991212d09de1d551783ccc68a5b8315f0004d8f5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF14D7 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663282626.0000000003CF1000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF1000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf1000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction ID: 1c25e46da70b4571cff2c094991212d09de1d551783ccc68a5b8315f0004d8f5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF14EF Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663282626.0000000003CF1000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF1000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf1000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction ID: 1c25e46da70b4571cff2c094991212d09de1d551783ccc68a5b8315f0004d8f5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF14FF Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663282626.0000000003CF1000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF1000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf1000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction ID: 1c25e46da70b4571cff2c094991212d09de1d551783ccc68a5b8315f0004d8f5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF14F7 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663282626.0000000003CF1000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF1000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf1000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction ID: 1c25e46da70b4571cff2c094991212d09de1d551783ccc68a5b8315f0004d8f5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF1447 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663282626.0000000003CF1000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF1000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf1000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction ID: 1c25e46da70b4571cff2c094991212d09de1d551783ccc68a5b8315f0004d8f5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF105F Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663282626.0000000003CF1000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF1000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf1000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction ID: 1c25e46da70b4571cff2c094991212d09de1d551783ccc68a5b8315f0004d8f5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF1057 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663282626.0000000003CF1000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF1000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf1000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction ID: 1c25e46da70b4571cff2c094991212d09de1d551783ccc68a5b8315f0004d8f5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF1067 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663282626.0000000003CF1000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF1000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf1000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction ID: 1c25e46da70b4571cff2c094991212d09de1d551783ccc68a5b8315f0004d8f5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 03CF1077 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000003.2663282626.0000000003CF1000.00000010.00000800.00020000.00000000.sdmp, Offset: 03CF1000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_3_3cf1000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction ID: 1c25e46da70b4571cff2c094991212d09de1d551783ccc68a5b8315f0004d8f5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 97cedb6fd911e4dbfd5cf923342f2392f77ffa569ce6e0e24c1772d301b74930
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                                                                          Function 0040A15D Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 70memorylibraryloaderCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • IsProcessorFeaturePresent.KERNEL32(0000000C,?,0040A22E,00000014,00401E47,00000000,004081CA,00000000,00000000,?,?,004102E0), ref: 0040A160
                                                                                                                                                                                                                                          • LoadLibraryA.KERNEL32(kernel32.dll,00000014,00000014,?,?,?,004102E0), ref: 0040A17A
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,InterlockedPushEntrySList,?,?,?,004102E0), ref: 0040A194
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,InterlockedPopEntrySList,?,?,?,004102E0), ref: 0040A1A1
                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,00000008,?,?,?,004102E0), ref: 0040A1D3
                                                                                                                                                                                                                                          • HeapAlloc.KERNEL32(00000000,?,?,?,004102E0), ref: 0040A1D6
                                                                                                                                                                                                                                          • InterlockedCompareExchange.KERNEL32(?,00000000,00000000,?,?,?,004102E0), ref: 0040A1EA
                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,004102E0), ref: 0040A1F6
                                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,?,004102E0), ref: 0040A1F9
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000002.2713696305.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713655394.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713743498.000000000040E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713794372.0000000000410000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713880336.0000000000411000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Heap$AddressProcProcess$AllocCompareExchangeFeatureFreeInterlockedLibraryLoadPresentProcessor
                                                                                                                                                                                                                                          • String ID: InterlockedPopEntrySList$InterlockedPushEntrySList$kernel32.dll
                                                                                                                                                                                                                                          • API String ID: 3830925854-2586642590
                                                                                                                                                                                                                                          • Opcode ID: ee45b9990f5a85697e6864fa24fdf1cca42a96816a0250fd6d4dd6affa5ac796
                                                                                                                                                                                                                                          • Instruction ID: e151f3bea11b7a959d498af9b856d7010959e3d6b7f86af2ead3fce87609c1ca
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ee45b9990f5a85697e6864fa24fdf1cca42a96816a0250fd6d4dd6affa5ac796
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0111B672600318DFD2209FB6AD88E173B6CE745751710887AF509F3351DBB99C61CB69
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0040AB6A Relevance: 7.6, APIs: 5, Instructions: 57COMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • IsDebuggerPresent.KERNEL32 ref: 0040CF0C
                                                                                                                                                                                                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0040CF21
                                                                                                                                                                                                                                          • UnhandledExceptionFilter.KERNEL32(0040F0B8), ref: 0040CF2C
                                                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(C0000409), ref: 0040CF48
                                                                                                                                                                                                                                          • TerminateProcess.KERNEL32(00000000), ref: 0040CF4F
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000002.2713696305.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713655394.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713743498.000000000040E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713794372.0000000000410000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713880336.0000000000411000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2579439406-0
                                                                                                                                                                                                                                          • Opcode ID: ef11c1113a78b7b6e9b43d3d3c878c2baeec206f056cfcc71ab5a55a220f9180
                                                                                                                                                                                                                                          • Instruction ID: 87a5cd26306ba58da4b70f2573c841c26c2d9a1aa672fff7abda688326a58e20
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ef11c1113a78b7b6e9b43d3d3c878c2baeec206f056cfcc71ab5a55a220f9180
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1F21C3B4500205EFD750DF19E984A983BA5BB08308F10D47AEA19A7261E7F455C48F5E
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0040A06A Relevance: 4.5, APIs: 3, Instructions: 39threadCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetThreadLocale.KERNEL32 ref: 0040A07D
                                                                                                                                                                                                                                          • GetLocaleInfoA.KERNEL32(00000000,00001004,?,00000007), ref: 0040A08F
                                                                                                                                                                                                                                          • GetACP.KERNEL32 ref: 0040A0B8
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000002.2713696305.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713655394.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713743498.000000000040E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713794372.0000000000410000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713880336.0000000000411000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Locale$InfoThread
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 4232894706-0
                                                                                                                                                                                                                                          • Opcode ID: 9a90d970f437ffd9edca8fd421fe8ee2f2e7fea9a86389754c87bd7833e80040
                                                                                                                                                                                                                                          • Instruction ID: c56cb4481b97ef4eaa8f63431da3792916c0003af48a97e6627cedc285dce081
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9a90d970f437ffd9edca8fd421fe8ee2f2e7fea9a86389754c87bd7833e80040
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 38F0AF31E0032CABDB159F6599156AFB7E4AB04B40B4441BEED41B7280DA786E18879A
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00401590 Relevance: 27.2, APIs: 18, Instructions: 196comCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetWindowLongW.USER32(?,000000EC), ref: 004015D1
                                                                                                                                                                                                                                          • GetWindowLongW.USER32(?,000000EC), ref: 004015E5
                                                                                                                                                                                                                                          • SetWindowLongW.USER32(?,000000EC,00000000), ref: 004015EF
                                                                                                                                                                                                                                          • GetWindowLongW.USER32(?,000000EB), ref: 004015FF
                                                                                                                                                                                                                                          • OleUninitialize.OLE32 ref: 0040160F
                                                                                                                                                                                                                                          • OleInitialize.OLE32(00000000), ref: 0040161D
                                                                                                                                                                                                                                          • GetWindowTextLengthW.USER32(?), ref: 00401626
                                                                                                                                                                                                                                          • __alloca_probe_16.LIBCMT ref: 00401639
                                                                                                                                                                                                                                          • __freea.LIBCMT ref: 00401668
                                                                                                                                                                                                                                          • DefWindowProcW.USER32(?,?,?,?), ref: 00401798
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000002.2713696305.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713655394.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713743498.000000000040E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713794372.0000000000410000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713880336.0000000000411000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Window$Long$InitializeLengthProcTextUninitialize__alloca_probe_16__freea
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 28949450-0
                                                                                                                                                                                                                                          • Opcode ID: c214d2b51a8ed9ae9d48573adc36a31d1fb4d11f9ed61c948cbe6f55d6a84caf
                                                                                                                                                                                                                                          • Instruction ID: effee5ad4f1be7dec0c043332801250c12b4d133a061a5caa54761ffb30a4dca
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c214d2b51a8ed9ae9d48573adc36a31d1fb4d11f9ed61c948cbe6f55d6a84caf
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9D618931900109AFDF10AFA5CC88DAE7BB9EF45314B14497AF906BB2B0CB399D51CB59
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00402CAB Relevance: 25.6, APIs: 17, Instructions: 134windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • BeginPaint.USER32(?,?), ref: 00402CD1
                                                                                                                                                                                                                                          • GetClientRect.USER32(?,?), ref: 00402CE9
                                                                                                                                                                                                                                          • CreateSolidBrush.GDI32(?), ref: 00402CF5
                                                                                                                                                                                                                                          • FillRect.USER32(?,?,00000000), ref: 00402D09
                                                                                                                                                                                                                                          • DeleteObject.GDI32(?), ref: 00402D10
                                                                                                                                                                                                                                          • EndPaint.USER32(?,?), ref: 00402D1D
                                                                                                                                                                                                                                          • BeginPaint.USER32(?,?), ref: 00402D3F
                                                                                                                                                                                                                                          • GetClientRect.USER32(?,?), ref: 00402D59
                                                                                                                                                                                                                                          • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00402D6E
                                                                                                                                                                                                                                          • CreateCompatibleDC.GDI32(00000000), ref: 00402D7C
                                                                                                                                                                                                                                          • SelectObject.GDI32(00000000,?), ref: 00402D8C
                                                                                                                                                                                                                                          • CreateSolidBrush.GDI32(?), ref: 00402D9F
                                                                                                                                                                                                                                          • FillRect.USER32(00000000,?,00000000), ref: 00402DB2
                                                                                                                                                                                                                                          • DeleteObject.GDI32(?), ref: 00402DBB
                                                                                                                                                                                                                                          • BitBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 00402DEF
                                                                                                                                                                                                                                          • SelectObject.GDI32(00000000,?), ref: 00402DF9
                                                                                                                                                                                                                                          • DeleteDC.GDI32(00000000), ref: 00402E00
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000002.2713696305.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713655394.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713743498.000000000040E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713794372.0000000000410000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713880336.0000000000411000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CreateObjectRect$DeletePaint$BeginBrushClientCompatibleFillSelectSolid$Bitmap
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2927874120-0
                                                                                                                                                                                                                                          • Opcode ID: f5351232a72c2a7bd7d01dfa25e42ebdf65d37a6d1c47cd332916ba376a21b18
                                                                                                                                                                                                                                          • Instruction ID: 36815eef4fe8322802c040f1513f16118a053fc1b4710b6c06e06feeafe233fa
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f5351232a72c2a7bd7d01dfa25e42ebdf65d37a6d1c47cd332916ba376a21b18
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9241F971900208AFDB119FE5DE88DAFBBBDFF48300B144929F516F61A1D7B49851DB24
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0040194E Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 111registrywindowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(004102E4,7693A7D0,0041025C,?,?,?,?,?,?,?,00409B2E,00000000,?,00000000,?,0040AACE), ref: 00401960
                                                                                                                                                                                                                                          • RegisterWindowMessageW.USER32(WM_ATLGETHOST,?,?,?,?,?,?,?,00409B2E,00000000,?,00000000,?,0040AACE,00000000), ref: 00401975
                                                                                                                                                                                                                                          • RegisterWindowMessageW.USER32(WM_ATLGETCONTROL,?,?,?,?,?,?,?,00409B2E,00000000,?,00000000,?,0040AACE,00000000), ref: 00401981
                                                                                                                                                                                                                                          • GetClassInfoExW.USER32(AtlAxWin80,?,?,?,?,?,?,?,?,00409B2E,00000000,?,00000000,?,0040AACE,00000000), ref: 0040199E
                                                                                                                                                                                                                                          • LoadCursorW.USER32(00000000,00007F00), ref: 004019D2
                                                                                                                                                                                                                                          • RegisterClassExW.USER32(?), ref: 004019EF
                                                                                                                                                                                                                                          • _memset.LIBCMT ref: 00401A18
                                                                                                                                                                                                                                          • GetClassInfoExW.USER32(AtlAxWinLic80,?,?,?,?,?,?,?,?,?,?,00409B2E,00000000,?,00000000), ref: 00401A33
                                                                                                                                                                                                                                          • LoadCursorW.USER32(00000000,00007F00), ref: 00401A68
                                                                                                                                                                                                                                          • RegisterClassExW.USER32(?), ref: 00401A85
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000002.2713696305.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713655394.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713743498.000000000040E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713794372.0000000000410000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713880336.0000000000411000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ClassRegister$CursorInfoLoadMessageWindow$CriticalEnterSection_memset
                                                                                                                                                                                                                                          • String ID: AtlAxWin80$AtlAxWinLic80$WM_ATLGETCONTROL$WM_ATLGETHOST
                                                                                                                                                                                                                                          • API String ID: 261302686-3337273722
                                                                                                                                                                                                                                          • Opcode ID: 4a55bb04a6b1ac8b22b89fffd7d0d06a69fbce849206a73cff786c4287874eec
                                                                                                                                                                                                                                          • Instruction ID: 3910b29c3a457e283f4a3f7959ffc8bfe486fa82896336a0283b9c96a4e89cf3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4a55bb04a6b1ac8b22b89fffd7d0d06a69fbce849206a73cff786c4287874eec
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9241E9B1D01218ABCB00DF96E9849DEBBF8AB48300F10846BE515B3261DBB85A408F59
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00407BBF Relevance: 21.4, APIs: 8, Strings: 4, Instructions: 388stringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • lstrcmpiW.KERNEL32(?,Delete,00000000,?,00000000), ref: 00407C14
                                                                                                                                                                                                                                          • lstrcmpiW.KERNEL32(?,ForceRemove,?,00000000), ref: 00407C23
                                                                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 00407FE5
                                                                                                                                                                                                                                            • Part of subcall function 00406CD1: RegCloseKey.ADVAPI32(?,?,00406D2C), ref: 00406CDD
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000002.2713696305.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713655394.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713743498.000000000040E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713794372.0000000000410000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713880336.0000000000411000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: lstrcmpi$Closelstrlen
                                                                                                                                                                                                                                          • String ID: Delete$ForceRemove$NoRemove$Val
                                                                                                                                                                                                                                          • API String ID: 4232074402-1781481701
                                                                                                                                                                                                                                          • Opcode ID: 0e712fd60833333e102971358f32d38840b1b2241964b633817ce5c99cc2e804
                                                                                                                                                                                                                                          • Instruction ID: 3bacee492ebb2aaf426e26210893bfd845cbe203986d295bb222b9db971dc9d7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0e712fd60833333e102971358f32d38840b1b2241964b633817ce5c99cc2e804
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 92D17E31D042199BDF31ABA1C991AAE7778AF04708F11013FE952B72C2DF389D44DB5A
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00402E52 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 119COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetStockObject.GDI32(00000011), ref: 00402EA7
                                                                                                                                                                                                                                          • GetStockObject.GDI32(0000000D), ref: 00402EAF
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000002.2713696305.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713655394.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713743498.000000000040E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713794372.0000000000410000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713880336.0000000000411000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ObjectStock
                                                                                                                                                                                                                                          • String ID: Fs@Ms@Ls
                                                                                                                                                                                                                                          • API String ID: 3428563643-3278565124
                                                                                                                                                                                                                                          • Opcode ID: 81769b32cfa16ad1d40fdcc7ffccace314bdacb8d0b8abe9e404e29740791a5d
                                                                                                                                                                                                                                          • Instruction ID: f90d8bbc10aba9188a552fe6a97696365134d4a0cb20ad61b26ad1f36b370a65
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 81769b32cfa16ad1d40fdcc7ffccace314bdacb8d0b8abe9e404e29740791a5d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EE414C75900219AFCB10EFB5CD88AEEBBB4AB18344F10483AF915E72D0D6789954CF54
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 004022F5 Relevance: 13.6, APIs: 9, Instructions: 74COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000002.2713696305.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713655394.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713743498.000000000040E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713794372.0000000000410000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713880336.0000000000411000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a88da030a0f23098a5d4d4b74867a3f8e927922dbc7ab80e820a73d821cf1a8d
                                                                                                                                                                                                                                          • Instruction ID: 864c6fe6c14e4c5da41d81da67b2d2acdb50291213bf12b31d41ed4477e8b06e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a88da030a0f23098a5d4d4b74867a3f8e927922dbc7ab80e820a73d821cf1a8d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1D212C71504216AFEB119F79DE4CB6B7BA8BF04304F040839ED41F22A1D7B998609B59
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 004024BF Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetDC.USER32(00000000,?,?,?,?,0040473D,?,?), ref: 004024E9
                                                                                                                                                                                                                                          • GetDeviceCaps.GDI32(00000000,00000058,?,?,?,?,0040473D,?,?), ref: 004024FA
                                                                                                                                                                                                                                          • GetDeviceCaps.GDI32(00000000,0000005A,?,?,?,?,0040473D,?,?), ref: 00402503
                                                                                                                                                                                                                                          • ReleaseDC.USER32(00000000,00000000,?,?,?,?,0040473D,?,?), ref: 0040250C
                                                                                                                                                                                                                                          • MulDiv.KERNEL32(?,?,000009EC,?,?,?,?,0040473D,?,?), ref: 00402524
                                                                                                                                                                                                                                          • MulDiv.KERNEL32(?,00000000,000009EC,?,?,?,?,0040473D,?,?), ref: 00402530
                                                                                                                                                                                                                                            • Part of subcall function 00401029: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,004017DC,80004005,00000000,00000030,AtlAxWinLic80,00401AA4), ref: 00401046
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000002.2713696305.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713655394.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713743498.000000000040E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713794372.0000000000410000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713880336.0000000000411000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CapsDevice$ExceptionRaiseRelease
                                                                                                                                                                                                                                          • String ID: Fs@Ms@Ls
                                                                                                                                                                                                                                          • API String ID: 603618608-3278565124
                                                                                                                                                                                                                                          • Opcode ID: 96d470b54afcc190c8ea002b7b74a5c88e16c0b6d3e2b0effbe5733829919dca
                                                                                                                                                                                                                                          • Instruction ID: ca09f7603537b562a55d1fe78f2598cecccdad8f9f28e48307fa7d1c997bad25
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 96d470b54afcc190c8ea002b7b74a5c88e16c0b6d3e2b0effbe5733829919dca
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 36018F71104304AFE711AF62DD44A1BBBA8FF58758F00492AFA84772A1D6759C208A69
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0040253C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetDC.USER32(00000000,?,?,?,?,00404708,?,?), ref: 00402566
                                                                                                                                                                                                                                          • GetDeviceCaps.GDI32(00000000,00000058,?,?,?,?,00404708,?,?), ref: 00402577
                                                                                                                                                                                                                                          • GetDeviceCaps.GDI32(00000000,0000005A,?,?,?,?,00404708,?,?), ref: 00402580
                                                                                                                                                                                                                                          • ReleaseDC.USER32(00000000,00000000,?,?,?,?,00404708,?,?), ref: 00402589
                                                                                                                                                                                                                                          • MulDiv.KERNEL32(000009EC,?,?,?,?,?,?,00404708,?,?), ref: 004025A1
                                                                                                                                                                                                                                          • MulDiv.KERNEL32(000009EC,00000000,?,?,?,?,?,00404708,?,?), ref: 004025AD
                                                                                                                                                                                                                                            • Part of subcall function 00401029: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,004017DC,80004005,00000000,00000030,AtlAxWinLic80,00401AA4), ref: 00401046
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000002.2713696305.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713655394.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713743498.000000000040E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713794372.0000000000410000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713880336.0000000000411000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CapsDevice$ExceptionRaiseRelease
                                                                                                                                                                                                                                          • String ID: Fs@Ms@Ls
                                                                                                                                                                                                                                          • API String ID: 603618608-3278565124
                                                                                                                                                                                                                                          • Opcode ID: 9d3578e258c01fd88bbb19e7fe0cfc559ccb5674c05cabce7050c81d0de611f4
                                                                                                                                                                                                                                          • Instruction ID: 241983a4a3e18299e212648792d6085d737ea81bed2319af26d05c91bcdad83e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9d3578e258c01fd88bbb19e7fe0cfc559ccb5674c05cabce7050c81d0de611f4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4C018F75104315AFE311AF62DD44B1BBBA8FB58755F004829FA84B7291C67598108B69
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00407928 Relevance: 10.7, APIs: 7, Instructions: 221stringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00406EF7: lstrcmpiW.KERNEL32(?,?,00407991,?,?,?,00000000,00000001,?,00407E4F,?,00000000,?,?,00000000), ref: 00406F61
                                                                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,00000000,00000001,?,00407E4F,?,00000000,?,?,00000000), ref: 004079F0
                                                                                                                                                                                                                                          • CharNextW.USER32(?,00000002,?,00000000), ref: 00407A22
                                                                                                                                                                                                                                          • CharNextW.USER32(00000000,?,00000000), ref: 00407A3A
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000002.2713696305.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713655394.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713743498.000000000040E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713794372.0000000000410000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713880336.0000000000411000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CharNext$lstrcmpilstrlen
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1051761657-0
                                                                                                                                                                                                                                          • Opcode ID: 6d83cb8ce642e0a97dcec1801c7e6a4081e9bb5d1499e946e86fbd57e3611fa4
                                                                                                                                                                                                                                          • Instruction ID: 9beb27c25970e011abd7f4747c08830813502d25a1228566d0cad314f2fe5feb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6d83cb8ce642e0a97dcec1801c7e6a4081e9bb5d1499e946e86fbd57e3611fa4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DB718171D042089ADB21DFB5CC849EE77B9EF44314F20453FE919B7282DB386945CB56
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0040965F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 137stringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00401CE1: InitializeCriticalSection.KERNEL32(?,0040F120,0000000C,00402929,00000000,00404EE2,00000000,?,80004003,004059C0,?), ref: 00401CF2
                                                                                                                                                                                                                                          • GetModuleFileNameW.KERNEL32(00400000,?,00000104), ref: 00409717
                                                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 00409769
                                                                                                                                                                                                                                            • Part of subcall function 00401CA1: lstrlenW.KERNEL32(?,00403B86,00000000,?,?), ref: 00401CA5
                                                                                                                                                                                                                                          • lstrlenW.KERNEL32(?), ref: 004097B6
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000002.2713696305.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713655394.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713743498.000000000040E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713794372.0000000000410000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713880336.0000000000411000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Modulelstrlen$CriticalFileHandleInitializeNameSection
                                                                                                                                                                                                                                          • String ID: Module$Module_Raw$REGISTRY
                                                                                                                                                                                                                                          • API String ID: 3852420207-549000027
                                                                                                                                                                                                                                          • Opcode ID: c7c86fee8a8619c7807ac6ec62dc070ca58d10c94a310cf1112faadda730bc82
                                                                                                                                                                                                                                          • Instruction ID: 3ad320125d83b5cd87979e75fc329e0cd712c19b8e70a303ea255d6198c75312
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c7c86fee8a8619c7807ac6ec62dc070ca58d10c94a310cf1112faadda730bc82
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C8519F729101599BDB21DFA5CC85AEE73B8AF04308F14043BE905F72C2EB79AE14CB59
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0040983C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 135stringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00401CE1: InitializeCriticalSection.KERNEL32(?,0040F120,0000000C,00402929,00000000,00404EE2,00000000,?,80004003,004059C0,?), ref: 00401CF2
                                                                                                                                                                                                                                          • GetModuleFileNameW.KERNEL32(00400000,?,00000104), ref: 004098EB
                                                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 0040993D
                                                                                                                                                                                                                                            • Part of subcall function 00401CA1: lstrlenW.KERNEL32(?,00403B86,00000000,?,?), ref: 00401CA5
                                                                                                                                                                                                                                          • lstrlenW.KERNEL32(?), ref: 0040998A
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000002.2713696305.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713655394.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713743498.000000000040E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713794372.0000000000410000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713880336.0000000000411000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Modulelstrlen$CriticalFileHandleInitializeNameSection
                                                                                                                                                                                                                                          • String ID: Module$Module_Raw$REGISTRY
                                                                                                                                                                                                                                          • API String ID: 3852420207-549000027
                                                                                                                                                                                                                                          • Opcode ID: bc8832b8a168cca473093e71fd0683c7253bb3db02b362cc6ee309ac0f585717
                                                                                                                                                                                                                                          • Instruction ID: a8535f27d6d7a3f8082f4af9bd06015fe4922fcf4a491c5011b3b0c3df28e119
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bc8832b8a168cca473093e71fd0683c7253bb3db02b362cc6ee309ac0f585717
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F04184729101589BEB25EBD5CC45AEE73B8AF44308F14443BE905F72C2EB78AE088759
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00405A4A Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 123COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 00405A80
                                                                                                                                                                                                                                          • GetClassInfoExW.USER32(00000000,?,?), ref: 00405ABA
                                                                                                                                                                                                                                          • GetClassInfoExW.USER32(?,?,00000030), ref: 00405ACC
                                                                                                                                                                                                                                            • Part of subcall function 0040145C: LeaveCriticalSection.KERNEL32(00000000,00000030,00401AB8,?,?,?,?,?,?,?,?,?,00409B2E,00000000,?,00000000), ref: 00401467
                                                                                                                                                                                                                                          • LoadCursorW.USER32(?,?), ref: 00405B13
                                                                                                                                                                                                                                          • GetClassInfoExW.USER32(?,00000000,?), ref: 00405B57
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000002.2713696305.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713655394.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713743498.000000000040E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713794372.0000000000410000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713880336.0000000000411000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ClassInfo$CriticalSection$CursorEnterLeaveLoad
                                                                                                                                                                                                                                          • String ID: 0
                                                                                                                                                                                                                                          • API String ID: 158815643-4108050209
                                                                                                                                                                                                                                          • Opcode ID: e769982c72fffa5cd844ce94e0a41c06f560553b37814d92871cf4a4059ee128
                                                                                                                                                                                                                                          • Instruction ID: b1f1f4aea7105cec710bb840670b560e23e93aac3c5c739135e3a17ca0da8162
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e769982c72fffa5cd844ce94e0a41c06f560553b37814d92871cf4a4059ee128
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 56412875A01614DBCF15DFA4C8C09ABBBB8FF48710B1045AAED05AB285E374ED41CFA8
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0040759B Relevance: 9.1, APIs: 6, Instructions: 118stringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • lstrlenW.KERNEL32(?), ref: 004075CD
                                                                                                                                                                                                                                          • CoTaskMemFree.OLE32(00000000,00000000), ref: 004075E6
                                                                                                                                                                                                                                          • CharNextW.USER32(00000000,00000000), ref: 00407613
                                                                                                                                                                                                                                          • CharNextW.USER32(?,?), ref: 00407673
                                                                                                                                                                                                                                          • CharNextW.USER32(?,00000000,00000001,00000000), ref: 0040768E
                                                                                                                                                                                                                                          • CoTaskMemFree.OLE32(?,00000000), ref: 004076AC
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000002.2713696305.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713655394.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713743498.000000000040E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713794372.0000000000410000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713880336.0000000000411000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CharNext$FreeTask$lstrlen
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3737899670-0
                                                                                                                                                                                                                                          • Opcode ID: 3f6df31c5f4c8e40d39cf0dc270568bd26dca20aa80279ebd8d202b51859222a
                                                                                                                                                                                                                                          • Instruction ID: 70815ff03149cf6553a566cfaa54808779a48834d549263be91617a47d87fdff
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3f6df31c5f4c8e40d39cf0dc270568bd26dca20aa80279ebd8d202b51859222a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CF418271D14605DBDB249F69CC84A6EBBB4EF44314F20483FE842B7290DB7AA851CB5E
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0040940C Relevance: 9.1, APIs: 6, Instructions: 105libraryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • LoadLibraryExW.KERNEL32(?,00000000,00000002), ref: 0040945C
                                                                                                                                                                                                                                          • FindResourceW.KERNEL32(00000000,?,?), ref: 0040947E
                                                                                                                                                                                                                                          • FreeLibrary.KERNEL32(?), ref: 0040953D
                                                                                                                                                                                                                                            • Part of subcall function 00401D2C: GetLastError.KERNEL32(0040948F), ref: 00401D2C
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000002.2713696305.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713655394.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713743498.000000000040E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713794372.0000000000410000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713880336.0000000000411000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Library$ErrorFindFreeLastLoadResource
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3418355812-0
                                                                                                                                                                                                                                          • Opcode ID: 1146f57231f934f551236d10b7fd17082be6310c57974bbe22b2d2ae4ba9fe98
                                                                                                                                                                                                                                          • Instruction ID: 24ffe316f32aa359846eea3b4a83ecbad62831f282a55d7e675dc3e0195270ff
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1146f57231f934f551236d10b7fd17082be6310c57974bbe22b2d2ae4ba9fe98
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 89419A71D00218AFCB219FA6DC849DEBBB9AF04304F50453AE40ABB2A2DB785D41CF59
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00403C54 Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000002.2713696305.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713655394.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713743498.000000000040E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713794372.0000000000410000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713880336.0000000000411000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AllocTask
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 277515162-0
                                                                                                                                                                                                                                          • Opcode ID: 0c651ead3906f53c06f01d0419752ca8fbbd77829224e7cc053804149b8939e0
                                                                                                                                                                                                                                          • Instruction ID: 2aef50a02de2c0aeac59006375392b77dce537653f92314ff73230b84a04e9a3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0c651ead3906f53c06f01d0419752ca8fbbd77829224e7cc053804149b8939e0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 42214972500219EFEF11DF55DE44A9A7BB8EF04716F10402AF805B72A0D779DE20EBA5
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00407054 Relevance: 7.6, APIs: 5, Instructions: 106COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000002.2713696305.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713655394.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713743498.000000000040E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713794372.0000000000410000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713880336.0000000000411000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CharNext
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3213498283-0
                                                                                                                                                                                                                                          • Opcode ID: 7c8c5e24260911d3063e4083af7a4170b6a32ae4faadd7bfe46feb890225e6c4
                                                                                                                                                                                                                                          • Instruction ID: b3786078afadd5237d368cd7641b66036d738919889183352dbc9798068466b7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7c8c5e24260911d3063e4083af7a4170b6a32ae4faadd7bfe46feb890225e6c4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0E31A570908206DADB249F28C88062673E5FF65344B20453AE4C2EB3D1E778AD91C75A
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00408EC0 Relevance: 7.6, APIs: 5, Instructions: 105windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • FindResourceW.KERNEL32(00400000,?,000000F0), ref: 00408EF7
                                                                                                                                                                                                                                          • LoadResource.KERNEL32(00400000,00000000), ref: 00408F07
                                                                                                                                                                                                                                          • LockResource.KERNEL32(00000000), ref: 00408F16
                                                                                                                                                                                                                                          • SendDlgItemMessageW.USER32(?,00000000,00000143,00000000,?,00000000), ref: 00408F7B
                                                                                                                                                                                                                                          • SendDlgItemMessageW.USER32(?,00000001,0000040B,00000000,00000001,00000000), ref: 00409005
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000002.2713696305.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713655394.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713743498.000000000040E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713794372.0000000000410000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713880336.0000000000411000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Resource$ItemMessageSend$FindLoadLock
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 915806882-0
                                                                                                                                                                                                                                          • Opcode ID: 4dcce77468c73a46aebe3cdc54ccb56f5a0e837ac25150b356bad12689ec9026
                                                                                                                                                                                                                                          • Instruction ID: 8ca510456220d8c0525df8bd257bd57df76f3223a6d027143b0dab0b192fe0ba
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4dcce77468c73a46aebe3cdc54ccb56f5a0e837ac25150b356bad12689ec9026
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C8417F719001289FEB309F25DD41FA9B3B5AF04311F1041AAE95DB22D2DB789E85CF68
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0040A559 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • _memset.LIBCMT ref: 0040A574
                                                                                                                                                                                                                                          • GetVersionExA.KERNEL32(00410340,0040AA4F), ref: 0040A583
                                                                                                                                                                                                                                          • InitializeCriticalSection.KERNEL32(004103D4), ref: 0040A599
                                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(004103D4), ref: 0040A5A0
                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32 ref: 0040A5A9
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000002.2713696305.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713655394.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713743498.000000000040E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713794372.0000000000410000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713880336.0000000000411000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CriticalSection$EnterHeapInitializeProcessVersion_memset
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 621449112-0
                                                                                                                                                                                                                                          • Opcode ID: 35415e3c5d343d80d4841c4419515c00e585d102efdaf0729b73992fc5d9f18e
                                                                                                                                                                                                                                          • Instruction ID: 3f26f715435f419315713ca405886c77d5859c7c5d5830aba2f352384caadbee
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 35415e3c5d343d80d4841c4419515c00e585d102efdaf0729b73992fc5d9f18e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 92018C71A00305EBC710AFA3DE4445D7BA5BB85315718893BE629B62C1C77C89B28F5F
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00401DC4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • CharNextW.USER32(\5@,?,?,0040355C,?,0040E6B4), ref: 00401DEE
                                                                                                                                                                                                                                          • CharNextW.USER32(?,?,?,0040355C,?,0040E6B4), ref: 00401DF5
                                                                                                                                                                                                                                          • CharNextW.USER32(?,?,?,0040355C,?,0040E6B4), ref: 00401E03
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000002.2713696305.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713655394.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713743498.000000000040E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713794372.0000000000410000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713880336.0000000000411000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CharNext
                                                                                                                                                                                                                                          • String ID: \5@
                                                                                                                                                                                                                                          • API String ID: 3213498283-1309314528
                                                                                                                                                                                                                                          • Opcode ID: 6be95cc0f8c55a9b8c49f6dc619d3a8a18184969920bf0195be3778cc2df7b9e
                                                                                                                                                                                                                                          • Instruction ID: 8726cf236ae77b94a83517557ca1126e442273100c8a4f8a9822b0c1dc0d8325
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6be95cc0f8c55a9b8c49f6dc619d3a8a18184969920bf0195be3778cc2df7b9e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1CE0653550421287C7115B29D80057B67B7EFC07A1725443FF450B33E0E7B8AD41A699
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00401F0E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28stringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetParent.USER32 ref: 00401F22
                                                                                                                                                                                                                                          • GetClassNameW.USER32(00000000,?,00000008), ref: 00401F2F
                                                                                                                                                                                                                                          • lstrcmpW.KERNEL32(?,#32770), ref: 00401F42
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000002.2713696305.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713655394.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713743498.000000000040E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713794372.0000000000410000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713880336.0000000000411000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ClassNameParentlstrcmp
                                                                                                                                                                                                                                          • String ID: #32770
                                                                                                                                                                                                                                          • API String ID: 3513268407-463685578
                                                                                                                                                                                                                                          • Opcode ID: ee7cc9481c5b521f00df008888194c2f70e88a60c9780ad852d78c0b775b634e
                                                                                                                                                                                                                                          • Instruction ID: 7db31976ef58849cc2c61346ea34b91c715d8929c97d64d2787645f897e7581a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ee7cc9481c5b521f00df008888194c2f70e88a60c9780ad852d78c0b775b634e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 26E03030A10208AFDF04EBB5CD1AE6A77B8AB08704B500979B502F71D0EA78A9149719
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0040A72D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 14libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(Kernel32.dll,0040D2F5,?,0040ADC6,00000000,00000000,00000000,00000000,00000000,?,?,?,?,0040AEBE,?,?), ref: 0040A732
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,DecodePointer,?,0040ADC6,00000000,00000000,00000000,00000000,00000000,?,?,?,?,0040AEBE,?,?), ref: 0040A742
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000002.2713696305.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713655394.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713743498.000000000040E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713794372.0000000000410000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713880336.0000000000411000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AddressHandleModuleProc
                                                                                                                                                                                                                                          • String ID: DecodePointer$Kernel32.dll
                                                                                                                                                                                                                                          • API String ID: 1646373207-3470280412
                                                                                                                                                                                                                                          • Opcode ID: 143423ea5c32141395bb756c3cafa9d0fd3dd0f75abda0f6482ef2f37c9da173
                                                                                                                                                                                                                                          • Instruction ID: b5788b40b0853c6dc7a37ca7fa3ef79ec24840802908159530c9da3f035f8337
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 143423ea5c32141395bb756c3cafa9d0fd3dd0f75abda0f6482ef2f37c9da173
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 55D09E70644300AADA209F768E4970A76E46E80B41B54C8397549F3690D6B8C814D72A
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 004086B4 Relevance: 6.3, APIs: 5, Instructions: 76stringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • lstrlenA.KERNEL32(?), ref: 004086CF
                                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,?,00000001), ref: 004086FF
                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,00000001), ref: 0040870A
                                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,?,00000001), ref: 00408723
                                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(?,00000000,?,?,?,?,?,?,?,00000001), ref: 0040874C
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000002.2713696305.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713655394.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713743498.000000000040E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713794372.0000000000410000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713880336.0000000000411000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ByteCharMultiWide$ErrorLastlstrlen
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3322701435-0
                                                                                                                                                                                                                                          • Opcode ID: 4a5b6fa4ec8c6909c6af7ae41f2e30f19464fd209faff48647098981153f76bb
                                                                                                                                                                                                                                          • Instruction ID: 48908fbd435a580ce89bed673ba8d31bff0f2ee05809f4ea8a84d6cc99bb99c2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4a5b6fa4ec8c6909c6af7ae41f2e30f19464fd209faff48647098981153f76bb
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8911B432801124FBDF212F92CD44D9FBF6DEF457A0B108576FD48AA160DA768A20DBE5
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00401235 Relevance: 6.1, APIs: 4, Instructions: 132COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000002.2713696305.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713655394.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713743498.000000000040E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713794372.0000000000410000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713880336.0000000000411000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: de62730f88848f88c4bbaa6e7e82ed849049633fee533dd479b039f000a9baa6
                                                                                                                                                                                                                                          • Instruction ID: cb77998e7024dae3b669df9451ed5b3ebcb51d72841bf7db81120ee9a12ce087
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: de62730f88848f88c4bbaa6e7e82ed849049633fee533dd479b039f000a9baa6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1D415F71A002099FEB25DFA5CC49EAEB3B8BF04704F14412EF915EB291E774AA05CF59
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00405D55 Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetClientRect.USER32(?,?,?,?), ref: 00405E08
                                                                                                                                                                                                                                          • GetClientRect.USER32(?,?), ref: 00405E10
                                                                                                                                                                                                                                          • CreateAcceleratorTableW.USER32(?,00000001), ref: 00405E2B
                                                                                                                                                                                                                                          • GetParent.USER32(?), ref: 00405E4F
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000002.2713696305.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713655394.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713743498.000000000040E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713794372.0000000000410000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713880336.0000000000411000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ClientRect$AcceleratorCreateParentTable
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2716292469-0
                                                                                                                                                                                                                                          • Opcode ID: 3cb7a709e67cb0e5bb1a88611679f3adb8faac63631730c3f9f0bcc12b9d51fb
                                                                                                                                                                                                                                          • Instruction ID: 6c8c7b589815834652913391f2eafc525150b4cf2c6eb88aef6f49848b1dc11d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3cb7a709e67cb0e5bb1a88611679f3adb8faac63631730c3f9f0bcc12b9d51fb
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8131197250060AEFCF11DFA5C88499BBBB5FF55304B10883EE949EB290D734AA95CF94
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 004037CB Relevance: 6.1, APIs: 4, Instructions: 65windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000002.2713696305.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713655394.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713743498.000000000040E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713794372.0000000000410000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713880336.0000000000411000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Focus$ChildWindow
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 501040988-0
                                                                                                                                                                                                                                          • Opcode ID: fd406a10ea4aea3a7a5bb3e5849efb86bc6955d798d6ae10cb0e4b5896c3f78e
                                                                                                                                                                                                                                          • Instruction ID: 532c01201f7fede4d2c78af55f4bbdb3a0723938ccf6e1461939e7ddf0d1230e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fd406a10ea4aea3a7a5bb3e5849efb86bc6955d798d6ae10cb0e4b5896c3f78e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CA218E72500700EFCB20AF65C948E5BBBF9FF85B05B1088A9F856A73A0D735AE01DB14
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0040A848 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 47COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(004103D4,0040F160,0000000C,0040AAD5,00000000), ref: 0040A85A
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000002.2713696305.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713655394.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713743498.000000000040E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713794372.0000000000410000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713880336.0000000000411000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CriticalEnterSection
                                                                                                                                                                                                                                          • String ID: @$@$@
                                                                                                                                                                                                                                          • API String ID: 1904992153-3781450513
                                                                                                                                                                                                                                          • Opcode ID: 9d9ce20bab2c3ae863576952f7f92721fdb434e0a139a960a5c283693cb95302
                                                                                                                                                                                                                                          • Instruction ID: 0b707a8e5d76eb43a9908df19c84302258d993c8af28573cab87c81897dd866a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9d9ce20bab2c3ae863576952f7f92721fdb434e0a139a960a5c283693cb95302
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 31112A72C00725CBC7247FAA9904459F7A0BB50310729CA7BE8A5372D4CB7D08A29B9F
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 004023C6 Relevance: 6.0, APIs: 4, Instructions: 38windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetClientRect.USER32(?,?), ref: 004023E1
                                                                                                                                                                                                                                          • BitBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,00CC0020), ref: 0040240A
                                                                                                                                                                                                                                          • DeleteDC.GDI32(?), ref: 00402413
                                                                                                                                                                                                                                          • ReleaseDC.USER32(?,?), ref: 00402425
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000009.00000002.2713696305.0000000000401000.00000020.00000001.01000000.00000013.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713655394.0000000000400000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713743498.000000000040E000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713794372.0000000000410000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000009.00000002.2713880336.0000000000411000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_400000_BitComet_stats.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ClientDeleteRectRelease
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2015589292-0
                                                                                                                                                                                                                                          • Opcode ID: 614cfa66847d2ce2c7a67bbf7b93c0e3b4ce5d3dd69e48e1ba636696985369e4
                                                                                                                                                                                                                                          • Instruction ID: 9eb2079b5f884d9a32cc1e93a0881bdc95c6dfe1e025d8a8f6cda5fe4ba1e541
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 614cfa66847d2ce2c7a67bbf7b93c0e3b4ce5d3dd69e48e1ba636696985369e4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8F01E836500118FFEB11DFA9DE48FAEBBB9FB08300F008964F955B62A0C771A920DB54
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Execution Graph

                                                                                                                                                                                                                                          Execution Coverage:7.2%
                                                                                                                                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                          Signature Coverage:1.1%
                                                                                                                                                                                                                                          Total number of Nodes:2000
                                                                                                                                                                                                                                          Total number of Limit Nodes:53
                                                                                                                                                                                                                                          execution_graph 87814 f84db8 87815 f84da7 87814->87815 87815->87814 87817 f9293c 87815->87817 87843 f9269d 87817->87843 87820 f929a9 87822 f928da DloadReleaseSectionWriteAccess 8 API calls 87820->87822 87821 f929cd 87824 f92a45 LoadLibraryExA 87821->87824 87826 f92aa6 87821->87826 87827 f92b74 87821->87827 87830 f92ab8 87821->87830 87823 f929b4 RaiseException 87822->87823 87839 f92ba2 87823->87839 87825 f92a58 GetLastError 87824->87825 87824->87826 87828 f92a81 87825->87828 87834 f92a6b 87825->87834 87826->87830 87831 f92ab1 FreeLibrary 87826->87831 87849 f928da 87827->87849 87832 f928da DloadReleaseSectionWriteAccess 8 API calls 87828->87832 87829 f92b16 GetProcAddress 87829->87827 87833 f92b26 GetLastError 87829->87833 87830->87827 87830->87829 87831->87830 87835 f92a8c RaiseException 87832->87835 87836 f92b39 87833->87836 87834->87826 87834->87828 87835->87839 87836->87827 87838 f928da DloadReleaseSectionWriteAccess 8 API calls 87836->87838 87840 f92b5a RaiseException 87838->87840 87839->87815 87841 f9269d ___delayLoadHelper2@8 7 API calls 87840->87841 87842 f92b71 87841->87842 87842->87827 87844 f926a9 87843->87844 87845 f926ca 87843->87845 87857 f92743 87844->87857 87845->87820 87845->87821 87847 f926ae 87847->87845 87862 f9286c 87847->87862 87850 f928ec 87849->87850 87851 f9290e 87849->87851 87852 f92743 DloadReleaseSectionWriteAccess 4 API calls 87850->87852 87851->87839 87853 f928f1 87852->87853 87854 f92909 87853->87854 87855 f9286c DloadProtectSection 3 API calls 87853->87855 87869 f92910 GetModuleHandleW GetProcAddress GetProcAddress ReleaseSRWLockExclusive DloadGetSRWLockFunctionPointers 87854->87869 87855->87854 87867 f926d0 GetModuleHandleW GetProcAddress GetProcAddress 87857->87867 87859 f92748 87860 f92760 AcquireSRWLockExclusive 87859->87860 87861 f92764 87859->87861 87860->87847 87861->87847 87864 f92881 DloadObtainSection 87862->87864 87863 f92887 87863->87845 87864->87863 87865 f928bc VirtualProtect 87864->87865 87868 f92782 VirtualQuery GetSystemInfo 87864->87868 87865->87863 87867->87859 87868->87865 87869->87851 87870 f84cfa 87871 f84c79 87870->87871 87871->87870 87872 f9293c ___delayLoadHelper2@8 16 API calls 87871->87872 87872->87871 87873 f47156 88060 fa8713 87873->88060 87875 f4715c codecvt 87876 f471bf 87875->87876 87885 f4722a 87875->87885 88190 f39bb0 InitOnceBeginInitialize 87876->88190 87881 f47df1 88266 f334d0 21 API calls collate 87881->88266 87885->87881 87888 f472b4 87885->87888 87889 f472db 87885->87889 87901 f4725f codecvt 87885->87901 87892 f47dfc Concurrency::cancel_current_task 87888->87892 87896 fa8713 std::locale::_Locimp::_Makeushloc 27 API calls 87888->87896 87897 fa8713 std::locale::_Locimp::_Makeushloc 27 API calls 87889->87897 87889->87901 87891 f47200 88224 f31c50 87891->88224 87893 f47e01 87892->87893 88267 fad60f 87893->88267 87895 f47348 87900 f39bb0 125 API calls 87895->87900 87896->87901 87897->87901 87904 f4734d 87900->87904 87901->87893 87901->87895 87914 f473b3 87901->87914 87902 f47e06 87907 f39bb0 125 API calls 87902->87907 87906 f39940 171 API calls 87904->87906 87905 f47219 88229 f3b8a0 87905->88229 87909 f4735d 87906->87909 87910 f47e5c 87907->87910 87911 f31b84 84 API calls 87909->87911 87912 f39940 171 API calls 87910->87912 87913 f47379 87911->87913 87917 f47e6c 87912->87917 88245 f31be0 81 API calls 87913->88245 87914->87881 87915 f47443 87914->87915 87916 f4746a 87914->87916 87928 f473ee codecvt 87914->87928 87915->87892 87922 fa8713 std::locale::_Locimp::_Makeushloc 27 API calls 87915->87922 87923 fa8713 std::locale::_Locimp::_Makeushloc 27 API calls 87916->87923 87916->87928 87919 f31b84 84 API calls 87917->87919 87924 f47e88 87919->87924 87920 f47389 87925 f31c50 81 API calls 87920->87925 87921 f474d7 87927 f39bb0 125 API calls 87921->87927 87922->87928 87923->87928 88273 f31be0 81 API calls 87924->88273 87926 f47397 87925->87926 88246 f48f20 81 API calls 87926->88246 87931 f474dc 87927->87931 87928->87893 87928->87921 87945 f47542 87928->87945 87935 f39940 171 API calls 87931->87935 87932 f47221 std::ios_base::_Ios_base_dtor __Mtx_unlock ctype 88259 fa8367 87932->88259 87933 f47e98 87937 f3b8a0 170 API calls 87933->87937 87934 f473a2 87939 f3b8a0 170 API calls 87934->87939 87940 f474ec 87935->87940 87947 f47ea3 std::ios_base::_Ios_base_dtor 87937->87947 87938 f4757f codecvt 87938->87893 87948 f476d8 87938->87948 87967 f4766d 87938->87967 87939->87932 87942 f31b84 84 API calls 87940->87942 87941 f47dea 87944 f47508 87942->87944 87943 f47d49 88076 f54b40 87943->88076 88247 f31be0 81 API calls 87944->88247 87945->87881 87945->87938 87945->87948 87955 f475d6 87945->87955 87956 f475ff 87945->87956 87954 fa8367 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 87947->87954 87948->87881 87953 f4786e 87948->87953 87959 f47795 87948->87959 87960 f4776c 87948->87960 87970 f47715 codecvt 87948->87970 87951 f47b9d 87951->87881 87951->87943 87957 f47bde codecvt 87951->87957 87958 f47c00 87951->87958 87952 f47518 87961 f31c50 81 API calls 87952->87961 87953->87881 87962 f478ae codecvt 87953->87962 87964 f47a07 87953->87964 87968 f47905 87953->87968 87969 f4792e 87953->87969 87963 f485c6 87954->87963 87955->87892 87971 fa8713 std::locale::_Locimp::_Makeushloc 27 API calls 87955->87971 87956->87938 87965 fa8713 std::locale::_Locimp::_Makeushloc 27 API calls 87956->87965 87957->87893 87957->87943 88002 f47ccc 87957->88002 87979 f47c35 87958->87979 87980 f47c5c 87958->87980 87959->87970 87975 fa8713 std::locale::_Locimp::_Makeushloc 27 API calls 87959->87975 87960->87892 87972 fa8713 std::locale::_Locimp::_Makeushloc 27 API calls 87960->87972 87966 f47526 87961->87966 87962->87893 87962->87964 87978 f4799c 87962->87978 87964->87881 87964->87951 87977 f47ac2 87964->87977 87981 f47a44 codecvt 87964->87981 87988 f47a9b 87964->87988 87965->87938 88248 f48f20 81 API calls 87966->88248 87974 f39bb0 125 API calls 87967->87974 87968->87892 87985 fa8713 std::locale::_Locimp::_Makeushloc 27 API calls 87968->87985 87969->87962 87987 fa8713 std::locale::_Locimp::_Makeushloc 27 API calls 87969->87987 87970->87893 87970->87953 87976 f47803 87970->87976 87971->87938 87972->87970 87983 f47672 87974->87983 87975->87970 87986 f39bb0 125 API calls 87976->87986 87977->87981 87990 fa8713 std::locale::_Locimp::_Makeushloc 27 API calls 87977->87990 87989 f39bb0 125 API calls 87978->87989 87979->87892 87991 f47c40 87979->87991 87980->87957 88000 fa8713 std::locale::_Locimp::_Makeushloc 27 API calls 87980->88000 87981->87893 87981->87951 87992 f47b32 87981->87992 87982 f47531 87993 f3b8a0 170 API calls 87982->87993 87994 f39940 171 API calls 87983->87994 87985->87962 87995 f47808 87986->87995 87987->87962 87988->87892 87996 fa8713 std::locale::_Locimp::_Makeushloc 27 API calls 87988->87996 87997 f479a1 87989->87997 87990->87981 87998 fa8713 std::locale::_Locimp::_Makeushloc 27 API calls 87991->87998 87999 f39bb0 125 API calls 87992->87999 87993->87932 88001 f47682 87994->88001 88003 f39940 171 API calls 87995->88003 87996->87981 88004 f39940 171 API calls 87997->88004 87998->87957 88005 f47b37 87999->88005 88000->87957 88006 f31b84 84 API calls 88001->88006 88007 f39bb0 125 API calls 88002->88007 88008 f47818 88003->88008 88009 f479b1 88004->88009 88010 f39940 171 API calls 88005->88010 88011 f4769e 88006->88011 88012 f47cd1 88007->88012 88013 f31b84 84 API calls 88008->88013 88014 f31b84 84 API calls 88009->88014 88015 f47b47 88010->88015 88249 f31be0 81 API calls 88011->88249 88017 f39940 171 API calls 88012->88017 88018 f47834 88013->88018 88019 f479cd 88014->88019 88020 f31b84 84 API calls 88015->88020 88022 f47ce1 88017->88022 88251 f31be0 81 API calls 88018->88251 88253 f31be0 81 API calls 88019->88253 88025 f47b63 88020->88025 88021 f476ae 88026 f31c50 81 API calls 88021->88026 88027 f31b84 84 API calls 88022->88027 88255 f31be0 81 API calls 88025->88255 88031 f476bc 88026->88031 88032 f47cfd 88027->88032 88028 f47844 88033 f31c50 81 API calls 88028->88033 88029 f479dd 88035 f31c50 81 API calls 88029->88035 88250 f48f20 81 API calls 88031->88250 88257 f31be0 81 API calls 88032->88257 88034 f47852 88033->88034 88252 f48f20 81 API calls 88034->88252 88040 f479eb 88035->88040 88036 f47b73 88041 f31c50 81 API calls 88036->88041 88254 f48f20 81 API calls 88040->88254 88047 f47b81 88041->88047 88042 f476c7 88048 f3b8a0 170 API calls 88042->88048 88043 f47d0d 88044 f31c50 81 API calls 88043->88044 88049 f47d1b 88044->88049 88045 f4785d 88050 f3b8a0 170 API calls 88045->88050 88256 f48f20 81 API calls 88047->88256 88048->87932 88258 f48f20 81 API calls 88049->88258 88050->87932 88051 f479f6 88054 f3b8a0 170 API calls 88051->88054 88054->87932 88055 f47b8c 88057 f3b8a0 170 API calls 88055->88057 88056 f47d26 88058 f3b8a0 170 API calls 88056->88058 88057->87932 88058->87932 88062 fa8718 88060->88062 88063 fa8732 88062->88063 88066 f33599 std::locale::_Locimp::_Makeushloc 88062->88066 88274 fb594f 88062->88274 88284 fbf60f EnterCriticalSection LeaveCriticalSection std::locale::_Locimp::_Makeushloc 88062->88284 88063->87875 88065 fa873e 88065->88065 88066->88065 88068 f335c5 88066->88068 88281 faa332 88066->88281 88069 fa8713 std::locale::_Locimp::_Makeushloc 27 API calls 88068->88069 88070 f335cb 88069->88070 88071 f335d2 88070->88071 88074 f335dc 88070->88074 88071->87875 88075 fe01e6 ctype 88074->88075 88285 fad59b 25 API calls 2 library calls 88074->88285 88286 fad62c 11 API calls __InternalCxxFrameHandler 88074->88286 88075->87875 88292 f552d0 88076->88292 88078 f54b83 88079 fa8713 std::locale::_Locimp::_Makeushloc 27 API calls 88078->88079 88080 f54c08 88079->88080 88368 f56340 88080->88368 88082 f54eba 88371 f51b40 88082->88371 88085 f54f98 88090 f54fc2 88085->88090 88401 f52f20 29 API calls 3 library calls 88085->88401 88087 f56360 27 API calls 88100 f54d1a 88087->88100 88088 f54c8a 88088->88100 88398 f56c80 29 API calls std::locale::_Locimp::_Makeushloc 88088->88398 88091 f5517d 88090->88091 88092 f5502e 88090->88092 88106 f5500e codecvt 88090->88106 88402 f334d0 21 API calls collate 88091->88402 88101 f55062 88092->88101 88102 f5508b 88092->88102 88093 f55187 88097 fad60f 25 API calls 88093->88097 88094 f54ec9 ctype 88094->88085 88094->88093 88400 f377a9 5 API calls collate 88094->88400 88099 f5518c 88097->88099 88098 f55182 Concurrency::cancel_current_task 88098->88093 88110 f39bb0 125 API calls 88099->88110 88100->88082 88100->88087 88103 fa8713 std::locale::_Locimp::_Makeushloc 27 API calls 88100->88103 88107 fb594f _Yarn 15 API calls 88100->88107 88399 f56640 27 API calls 3 library calls 88100->88399 88101->88098 88105 f5506d 88101->88105 88102->88106 88109 fa8713 std::locale::_Locimp::_Makeushloc 27 API calls 88102->88109 88103->88100 88108 fa8713 std::locale::_Locimp::_Makeushloc 27 API calls 88105->88108 88395 fae960 88106->88395 88107->88100 88111 f55073 88108->88111 88109->88106 88112 f551cb 88110->88112 88111->88093 88111->88106 88113 f39940 171 API calls 88112->88113 88115 f551db 88113->88115 88114 fae960 std::_Locinfo::_Getdays 14 API calls 88116 f5513b ctype 88114->88116 88117 f31b84 84 API calls 88115->88117 88123 fae960 std::_Locinfo::_Getdays 14 API calls 88116->88123 88119 f551f7 88117->88119 88118 f550d8 ctype 88120 f5510c ctype 88118->88120 88121 fae960 std::_Locinfo::_Getdays 14 API calls 88118->88121 88403 f31be0 81 API calls 88119->88403 88120->88114 88121->88118 88126 f5514d ctype 88123->88126 88124 f55207 88125 f3b8a0 170 API calls 88124->88125 88130 f5520f std::ios_base::_Ios_base_dtor ctype 88125->88130 88191 f39c45 88190->88191 88192 f39bef 88190->88192 88624 fb41c9 48 API calls __InternalCxxFrameHandler 88191->88624 88193 f39c27 88192->88193 88594 f39c50 88192->88594 88197 fa8367 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 88193->88197 88199 f39c41 88197->88199 88200 f39940 88199->88200 88201 f39985 88200->88201 88202 f39a1c 88200->88202 88201->88202 88205 f3998e __cftof 88201->88205 88890 f3b420 170 API calls 3 library calls 88202->88890 88204 fa8367 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 88206 f39a51 88204->88206 88887 f3b420 170 API calls 3 library calls 88205->88887 88215 f31b84 88206->88215 88208 f399d5 88888 f39820 81 API calls 88208->88888 88210 f399e9 88889 f3b690 84 API calls ctype 88210->88889 88212 f399f8 88213 f3b8a0 170 API calls 88212->88213 88214 f39a00 std::ios_base::_Ios_base_dtor 88213->88214 88214->88204 88216 f31bb6 88215->88216 88217 f31bbf 88215->88217 88891 f380b0 88216->88891 88219 f39ab0 88217->88219 88220 f39b1a 88219->88220 88221 f39aec 88219->88221 88220->87891 88955 f320a0 81 API calls 3 library calls 88221->88955 88223 f39afa 88223->87891 88225 f31c8c 88224->88225 88227 f31c98 88224->88227 88956 f320a0 81 API calls 3 library calls 88225->88956 88228 f48f20 81 API calls 88227->88228 88228->87905 88230 f3b8ff 88229->88230 88238 f3b96c ctype 88229->88238 88231 f39ab0 81 API calls 88230->88231 88232 f3b910 88231->88232 88957 f3ba20 88232->88957 88235 f3b9e0 88235->87932 88236 f3b927 88971 f40890 88236->88971 89039 f420f0 88236->89039 89043 f407c0 88236->89043 88237 f3b93c 88237->88238 88239 f3ba0d 88237->88239 89115 f3cd20 88238->89115 88240 fad60f 25 API calls 88239->88240 88241 f3ba12 88240->88241 88245->87920 88246->87934 88247->87952 88248->87982 88249->88021 88250->88042 88251->88028 88252->88045 88253->88029 88254->88051 88255->88036 88256->88055 88257->88043 88258->88056 88260 fa836f 88259->88260 88261 fa8370 IsProcessorFeaturePresent 88259->88261 88260->87941 88263 fa9055 88261->88263 89579 fa9018 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 88263->89579 88265 fa9138 88265->87941 89580 fad59b 25 API calls 2 library calls 88267->89580 88269 fad61e 89581 fad62c 11 API calls __InternalCxxFrameHandler 88269->89581 88271 fe01e6 ctype 88271->87902 88272 fad62b 88272->88267 88272->88271 88273->87933 88279 fc2174 std::_Locinfo::_W_Getmonths 88274->88279 88275 fc21b2 88288 fad73d 88275->88288 88277 fc219d RtlAllocateHeap 88278 fc21b0 88277->88278 88277->88279 88278->88062 88279->88275 88279->88277 88287 fbf60f EnterCriticalSection LeaveCriticalSection std::locale::_Locimp::_Makeushloc 88279->88287 88282 faa379 RaiseException 88281->88282 88283 faa34c 88281->88283 88282->88066 88283->88282 88284->88062 88285->88074 88286->88074 88287->88279 88291 fc1e00 14 API calls 2 library calls 88288->88291 88290 fad742 88290->88278 88291->88290 88293 f5571d 88292->88293 88404 f56440 88293->88404 88295 f5575a GetModuleHandleW 88297 f55816 88295->88297 88298 f56440 27 API calls 88297->88298 88299 f55885 88298->88299 88414 f565c0 88299->88414 88301 f5588c 88302 f56440 27 API calls 88301->88302 88303 f5595c 88302->88303 88304 f56440 27 API calls 88303->88304 88305 f55ae8 88304->88305 88324 f55b83 std::ios_base::_Ios_base_dtor ctype 88305->88324 88419 f311f3 29 API calls 2 library calls 88305->88419 88307 f55bdb 88309 f55be6 88307->88309 88314 f55cfc ctype 88307->88314 88308 f56440 27 API calls 88313 f55cc5 88308->88313 88310 f39bb0 125 API calls 88309->88310 88312 f55beb 88310->88312 88311 f56440 27 API calls 88315 f55d62 88311->88315 88316 f39940 171 API calls 88312->88316 88317 f55de7 88313->88317 88318 f55e30 88313->88318 88331 f55cd3 codecvt 88313->88331 88314->88311 88315->88324 88421 f4aad0 28 API calls 4 library calls 88315->88421 88319 f55bfb 88316->88319 88320 f56085 Concurrency::cancel_current_task 88317->88320 88321 f55df2 88317->88321 88327 fa8713 std::locale::_Locimp::_Makeushloc 27 API calls 88318->88327 88318->88331 88323 f31b84 84 API calls 88319->88323 88325 f5608a 88320->88325 88326 fa8713 std::locale::_Locimp::_Makeushloc 27 API calls 88321->88326 88328 f55c17 88323->88328 88324->88308 88330 fad60f 25 API calls 88325->88330 88326->88331 88327->88331 88420 f31be0 81 API calls 88328->88420 88333 f5608f 88330->88333 88331->88325 88336 f55ebc ctype 88331->88336 88332 f55c27 88334 f3b8a0 170 API calls 88332->88334 88335 fad60f 25 API calls 88333->88335 88334->88324 88346 f56094 ctype 88335->88346 88338 f56440 27 API calls 88336->88338 88348 f55f73 ctype 88336->88348 88337 f55f82 GetModuleHandleW 88339 f55f95 GetProcAddress 88337->88339 88359 f55fc1 88337->88359 88340 f55f2f 88338->88340 88342 f55fa7 GetCurrentProcess 88339->88342 88339->88359 88343 f55f45 88340->88343 88422 f4aad0 28 API calls 4 library calls 88340->88422 88342->88359 88343->88333 88343->88337 88343->88348 88344 f56440 27 API calls 88349 f56022 88344->88349 88345 f560f4 88350 f5611b ctype 88345->88350 88356 f5610e SysFreeString 88345->88356 88354 f56166 ctype 88346->88354 88427 f567b0 26 API calls ctype 88346->88427 88348->88337 88423 f336db 27 API calls collate 88349->88423 88350->88354 88357 f56159 SysFreeString 88350->88357 88351 fad60f 25 API calls 88353 f561d9 88351->88353 88354->88351 88361 f561b4 ctype 88354->88361 88355 f5602a 88424 f3372a 5 API calls collate 88355->88424 88356->88350 88357->88354 88359->88344 88360 f56032 88425 f3372a 5 API calls collate 88360->88425 88361->88078 88363 f5603a 88426 f3372a 5 API calls collate 88363->88426 88365 f56042 88366 fa8367 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 88365->88366 88367 f56059 88366->88367 88367->88078 88369 fa8367 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 88368->88369 88370 f56355 88369->88370 88370->88088 88372 f51db3 88371->88372 88373 f51de3 88372->88373 88374 f51dff 88372->88374 88430 f52580 29 API calls 88373->88430 88375 f51e24 88374->88375 88376 f51e08 88374->88376 88379 f51e33 88375->88379 88380 f51e4b 88375->88380 88431 f524c0 29 API calls 88376->88431 88432 f523e0 29 API calls 88379->88432 88433 f52320 29 API calls 88380->88433 88381 f51dec 88385 fa8367 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 88381->88385 88382 f51e11 88386 fa8367 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 88382->88386 88388 f51df9 88385->88388 88390 f51e1e 88386->88390 88387 f51e38 88391 fa8367 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 88387->88391 88388->88094 88389 f51e50 88392 fa8367 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 88389->88392 88390->88094 88394 f51e45 88391->88394 88393 f51e5e 88392->88393 88393->88094 88394->88094 88434 fc2098 88395->88434 88397 fae978 88397->88118 88398->88088 88399->88100 88400->88094 88401->88090 88403->88124 88405 f56496 88404->88405 88406 f564fd 88405->88406 88407 f565af 88405->88407 88413 f564e8 88405->88413 88408 fa8713 std::locale::_Locimp::_Makeushloc 27 API calls 88406->88408 88429 f39b40 27 API calls 2 library calls 88407->88429 88410 f56515 88408->88410 88428 f56bb0 25 API calls ctype 88410->88428 88411 f565b4 88413->88295 88415 f565ef ctype 88414->88415 88416 f565cc 88414->88416 88415->88301 88416->88415 88417 fad60f 25 API calls 88416->88417 88418 f56639 88417->88418 88419->88307 88420->88332 88421->88324 88422->88343 88423->88355 88424->88360 88425->88363 88426->88365 88427->88345 88428->88413 88429->88411 88430->88381 88431->88382 88432->88387 88433->88389 88435 fc20a3 RtlFreeHeap 88434->88435 88439 fc20cc __dosmaperr 88434->88439 88436 fc20b8 88435->88436 88435->88439 88437 fad73d std::_Stofx_v2 12 API calls 88436->88437 88438 fc20be GetLastError 88437->88438 88438->88439 88439->88397 88625 f3e310 ConvertStringSecurityDescriptorToSecurityDescriptorW 88594->88625 88597 f39f7e 88598 f3a048 ctype 88597->88598 88602 f3a072 88597->88602 88600 fa8367 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 88598->88600 88603 f39c11 InitOnceComplete 88600->88603 88604 fad60f 25 API calls 88602->88604 88603->88191 88603->88193 88607 f3a077 88604->88607 88606 fa8713 std::locale::_Locimp::_Makeushloc 27 API calls 88609 f39eec ctype 88606->88609 88608 f5d900 27 API calls 88608->88597 88609->88602 88609->88608 88610 f39cec 88611 f5d900 27 API calls 88610->88611 88612 f39d4c 88611->88612 88652 f93b8a 88612->88652 88616 f39def 88617 f3a06d Concurrency::cancel_current_task 88616->88617 88618 f39e74 88616->88618 88619 f39e9b 88616->88619 88623 f39e24 codecvt 88616->88623 88617->88602 88618->88617 88620 f39e7f 88618->88620 88622 fa8713 std::locale::_Locimp::_Makeushloc 27 API calls 88619->88622 88619->88623 88621 fa8713 std::locale::_Locimp::_Makeushloc 27 API calls 88620->88621 88621->88623 88622->88623 88623->88602 88623->88606 88626 f3e376 ctype 88625->88626 88627 f3e37d 88625->88627 88629 fa8367 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 88626->88629 88676 f3deb0 88627->88676 88631 f39ca2 88629->88631 88630 f3e3d9 88632 f3e3e8 __cftof 88630->88632 88633 f3e3dd 88630->88633 88631->88597 88646 fa8760 88631->88646 88634 f3e425 GetModuleFileNameW 88632->88634 88633->88626 88636 f3e62e 88633->88636 88635 f3e443 88634->88635 88643 f3e54f ctype 88634->88643 88728 f3daa0 29 API calls 4 library calls 88635->88728 88638 fad60f 25 API calls 88636->88638 88640 f3e633 88638->88640 88639 f3e454 88639->88643 88729 f3dc20 88639->88729 88642 f3e49d ctype 88642->88643 88644 f3e629 88642->88644 88643->88633 88643->88636 88645 fad60f 25 API calls 88644->88645 88645->88636 88647 fa8713 std::locale::_Locimp::_Makeushloc 27 API calls 88646->88647 88648 f39cc1 88647->88648 88648->88623 88649 f5d900 88648->88649 88838 f5dc50 88649->88838 88651 f5d95d 88651->88610 88844 f938db 88652->88844 88654 f39dd9 88655 f41130 88654->88655 88850 f43d80 88655->88850 88659 f41183 88660 f4119d 88659->88660 88661 f413d8 88659->88661 88874 f340e8 88660->88874 88882 f334d0 21 API calls collate 88661->88882 88664 f411bc 88878 f43640 28 API calls codecvt 88664->88878 88665 fad60f 25 API calls 88667 f413e2 88665->88667 88668 f411cc 88879 f43590 28 API calls codecvt 88668->88879 88670 f411df 88880 f3f310 28 API calls 3 library calls 88670->88880 88672 f411f5 88881 f43590 28 API calls codecvt 88672->88881 88674 f41208 ctype 88674->88665 88675 f413b9 ctype 88674->88675 88675->88616 88800 faa920 88676->88800 88679 f3df16 88681 f3dc20 93 API calls 88679->88681 88680 fa8367 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 88682 f3e2ee 88680->88682 88683 f3df5d ctype 88681->88683 88682->88630 88684 f3e00f ctype 88683->88684 88685 f3e2f2 88683->88685 88802 f3f520 88684->88802 88686 fad60f 25 API calls 88685->88686 88688 f3e2f7 88686->88688 88690 fad60f 25 API calls 88688->88690 88689 f3e084 88817 f3e640 88689->88817 88692 f3e2fc 88690->88692 88694 fad60f 25 API calls 88692->88694 88695 f3e301 88694->88695 88696 fad60f 25 API calls 88695->88696 88697 f3e306 ConvertStringSecurityDescriptorToSecurityDescriptorW 88696->88697 88700 f3e37d 88697->88700 88709 f3e376 ctype 88697->88709 88699 f3e0e8 ctype 88699->88699 88701 f3dc20 93 API calls 88699->88701 88723 f3e2bd ctype 88699->88723 88702 f3deb0 93 API calls 88700->88702 88708 f3e143 ctype 88701->88708 88704 f3e3d9 88702->88704 88703 fa8367 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 88705 f3e625 88703->88705 88706 f3e3e8 __cftof 88704->88706 88710 f3e3dd 88704->88710 88705->88630 88707 f3e425 GetModuleFileNameW 88706->88707 88711 f3e443 88707->88711 88724 f3e54f ctype 88707->88724 88708->88692 88712 f3e1f5 ctype 88708->88712 88709->88703 88710->88709 88713 f3e62e 88710->88713 88832 f3daa0 29 API calls 4 library calls 88711->88832 88716 f3f520 28 API calls 88712->88716 88715 fad60f 25 API calls 88713->88715 88718 f3e633 88715->88718 88719 f3e264 88716->88719 88717 f3e454 88720 f3dc20 93 API calls 88717->88720 88717->88724 88721 f3e640 87 API calls 88719->88721 88726 f3e49d ctype 88720->88726 88722 f3e27d 88721->88722 88722->88695 88722->88723 88723->88680 88724->88710 88724->88713 88725 f3e629 88727 fad60f 25 API calls 88725->88727 88726->88724 88726->88725 88727->88713 88728->88639 88730 f3dc83 88729->88730 88731 f3dc55 88729->88731 88732 f3dd83 88730->88732 88733 f3dcaa 88730->88733 88734 f3f520 28 API calls 88731->88734 88736 f3f520 28 API calls 88732->88736 88735 f3f520 28 API calls 88733->88735 88737 f3dc71 88734->88737 88738 f3dcb9 88735->88738 88739 f3dd92 88736->88739 88737->88642 88740 f3f520 28 API calls 88738->88740 88741 f3f520 28 API calls 88739->88741 88742 f3dce7 88740->88742 88743 f3ddc0 88741->88743 88835 f3f310 28 API calls 3 library calls 88742->88835 88836 f3f310 28 API calls 3 library calls 88743->88836 88746 f3dd67 ctype 88746->88642 88747 f3dcfd ctype 88747->88746 88748 fad60f 25 API calls 88747->88748 88749 f3dea8 __cftof 88748->88749 88750 f3def8 SHGetSpecialFolderPathW 88749->88750 88751 f3df16 88750->88751 88795 f3e2bd ctype 88750->88795 88753 f3dc20 93 API calls 88751->88753 88752 fa8367 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 88754 f3e2ee 88752->88754 88755 f3df5d ctype 88753->88755 88754->88642 88756 f3e00f ctype 88755->88756 88757 f3e2f2 88755->88757 88759 f3f520 28 API calls 88756->88759 88758 fad60f 25 API calls 88757->88758 88760 f3e2f7 88758->88760 88761 f3e084 88759->88761 88762 fad60f 25 API calls 88760->88762 88763 f3e640 87 API calls 88761->88763 88764 f3e2fc 88762->88764 88765 f3e09d 88763->88765 88766 fad60f 25 API calls 88764->88766 88765->88760 88771 f3e0e8 ctype 88765->88771 88767 f3e301 88766->88767 88768 fad60f 25 API calls 88767->88768 88769 f3e306 ConvertStringSecurityDescriptorToSecurityDescriptorW 88768->88769 88772 f3e37d 88769->88772 88781 f3e376 ctype 88769->88781 88771->88771 88773 f3dc20 93 API calls 88771->88773 88771->88795 88774 f3deb0 93 API calls 88772->88774 88780 f3e143 ctype 88773->88780 88776 f3e3d9 88774->88776 88775 fa8367 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 88777 f3e625 88775->88777 88778 f3e3e8 __cftof 88776->88778 88782 f3e3dd 88776->88782 88777->88642 88779 f3e425 GetModuleFileNameW 88778->88779 88783 f3e443 88779->88783 88796 f3e54f ctype 88779->88796 88780->88764 88784 f3e1f5 ctype 88780->88784 88781->88775 88782->88781 88785 f3e62e 88782->88785 88837 f3daa0 29 API calls 4 library calls 88783->88837 88788 f3f520 28 API calls 88784->88788 88787 fad60f 25 API calls 88785->88787 88790 f3e633 88787->88790 88791 f3e264 88788->88791 88789 f3e454 88792 f3dc20 93 API calls 88789->88792 88789->88796 88793 f3e640 87 API calls 88791->88793 88798 f3e49d ctype 88792->88798 88794 f3e27d 88793->88794 88794->88767 88794->88795 88795->88752 88796->88782 88796->88785 88797 f3e629 88799 fad60f 25 API calls 88797->88799 88798->88796 88798->88797 88799->88785 88801 f3def8 SHGetSpecialFolderPathW 88800->88801 88801->88679 88801->88723 88803 f3f541 codecvt 88802->88803 88808 f3f571 88802->88808 88803->88689 88804 f3f677 88833 f334d0 21 API calls collate 88804->88833 88806 fad60f 25 API calls 88809 f3f681 88806->88809 88807 f3f672 Concurrency::cancel_current_task 88807->88804 88808->88804 88808->88807 88810 f3f5d3 88808->88810 88811 f3f5fa 88808->88811 88810->88807 88812 f3f5de 88810->88812 88813 fa8713 std::locale::_Locimp::_Makeushloc 27 API calls 88811->88813 88815 f3f5e4 codecvt 88811->88815 88814 fa8713 std::locale::_Locimp::_Makeushloc 27 API calls 88812->88814 88813->88815 88814->88815 88815->88806 88816 f3f658 ctype 88815->88816 88816->88689 88818 f3e680 GetFileAttributesW 88817->88818 88819 f3e67e 88817->88819 88823 f3e690 88818->88823 88828 f3e724 ctype 88818->88828 88819->88818 88820 f3e736 CreateDirectoryW 88821 f3e742 GetLastError 88820->88821 88822 f3e09d 88820->88822 88821->88822 88822->88688 88822->88699 88823->88823 88824 f3f520 28 API calls 88823->88824 88823->88828 88825 f3e6ec 88824->88825 88834 f3d6d0 83 API calls 88825->88834 88827 f3e6f8 88827->88828 88829 f3e77d 88827->88829 88828->88820 88830 fad60f 25 API calls 88829->88830 88831 f3e782 88830->88831 88832->88717 88834->88827 88835->88747 88836->88747 88837->88789 88839 f5dc90 88838->88839 88843 f5dcc5 88838->88843 88840 fa8760 27 API calls 88839->88840 88842 f5dc9c 88840->88842 88841 fa8713 std::locale::_Locimp::_Makeushloc 27 API calls 88841->88843 88842->88841 88843->88651 88845 f938e8 88844->88845 88846 f938a6 InitializeCriticalSectionEx 88845->88846 88847 f938c4 InitializeSRWLock 88845->88847 88846->88654 88847->88654 88883 faa3a0 88850->88883 88852 f43de7 WTSGetActiveConsoleSessionId 88853 f43e15 88852->88853 88854 f43e0b OutputDebugStringW 88852->88854 88853->88854 88857 f43e3e 88853->88857 88872 f43e57 codecvt ctype 88854->88872 88856 fa8367 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 88858 f41172 88856->88858 88859 f43f81 OutputDebugStringW 88857->88859 88860 f43e4a 88857->88860 88873 f43fd0 70 API calls 2 library calls 88858->88873 88859->88872 88861 f43fc0 88860->88861 88864 f43e90 88860->88864 88860->88872 88885 f334d0 21 API calls collate 88861->88885 88863 f43fc5 88866 fad60f 25 API calls 88863->88866 88865 f43fca Concurrency::cancel_current_task 88864->88865 88867 f43ee7 88864->88867 88868 f43f0e 88864->88868 88866->88865 88867->88865 88869 fa8713 std::locale::_Locimp::_Makeushloc 27 API calls 88867->88869 88870 fa8713 std::locale::_Locimp::_Makeushloc 27 API calls 88868->88870 88871 f43ef8 codecvt 88868->88871 88869->88871 88870->88871 88871->88863 88871->88872 88872->88856 88873->88659 88875 f34122 88874->88875 88876 f34147 codecvt 88874->88876 88886 f333c3 28 API calls collate 88875->88886 88876->88664 88878->88668 88879->88670 88880->88672 88881->88674 88884 faa3b8 88883->88884 88884->88852 88884->88884 88886->88876 88887->88208 88888->88210 88889->88212 88890->88214 88892 f380f9 88891->88892 88906 f38185 ctype 88891->88906 88910 f37f60 88892->88910 88896 f38109 88926 f381d0 28 API calls 5 library calls 88896->88926 88898 f38119 88927 f389b0 88898->88927 88900 f38130 88901 f34300 5 API calls 88900->88901 88902 f3813e 88901->88902 88938 f38730 80 API calls Concurrency::cancel_current_task 88902->88938 88904 f3814b 88905 f34300 5 API calls 88904->88905 88907 f38156 88905->88907 88906->88217 88907->88906 88908 fad60f 25 API calls 88907->88908 88909 f381c5 88908->88909 88911 f37faa 88910->88911 88921 f38076 88910->88921 88939 f93cd6 88911->88939 88913 fa8367 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 88914 f3809e 88913->88914 88922 f34300 88914->88922 88915 f37faf std::_Stodx_v2 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 88942 f39620 81 API calls Concurrency::cancel_current_task 88915->88942 88917 f38036 88943 f38530 80 API calls Concurrency::cancel_current_task 88917->88943 88919 f3806b 88920 f34300 5 API calls 88919->88920 88920->88921 88921->88913 88923 f3430c __EH_prolog3_catch 88922->88923 88949 f32c9c 88923->88949 88925 f3436d std::locale::_Locimp::_Makeushloc 88925->88896 88926->88898 88928 f389ff 88927->88928 88929 f32c9c 5 API calls 88928->88929 88937 f38a1b 88929->88937 88930 f38bce 88930->88900 88932 f38c51 88933 faa332 Concurrency::cancel_current_task RaiseException 88932->88933 88934 f38c5f 88933->88934 88935 fae960 std::_Locinfo::_Getdays 14 API calls 88934->88935 88936 f38c71 ctype 88935->88936 88936->88900 88937->88930 88954 f328d1 27 API calls 3 library calls 88937->88954 88938->88904 88944 f96d6a 88939->88944 88942->88917 88943->88919 88945 f96d7b GetSystemTimePreciseAsFileTime 88944->88945 88946 f96d87 GetSystemTimeAsFileTime 88944->88946 88947 f93ce4 88945->88947 88946->88947 88947->88915 88951 f32ca8 __EH_prolog3 88949->88951 88950 f32cf7 std::locale::_Locimp::_Makeushloc 88950->88925 88951->88950 88953 f32c33 5 API calls 2 library calls 88951->88953 88953->88950 88954->88932 88955->88223 88956->88227 88960 f3ba83 88957->88960 88958 f3bba2 89118 f334d0 21 API calls collate 88958->89118 88960->88958 88962 f3bb9d Concurrency::cancel_current_task 88960->88962 88964 f3bb43 88960->88964 88965 f3bb64 88960->88965 88968 f3baca codecvt 88960->88968 88961 f3bb50 88963 fad60f 25 API calls 88961->88963 88961->88968 88962->88958 88966 f3bbac 88963->88966 88964->88962 88967 f3bb4a 88964->88967 88965->88968 88970 fa8713 std::locale::_Locimp::_Makeushloc 27 API calls 88965->88970 88969 fa8713 std::locale::_Locimp::_Makeushloc 27 API calls 88967->88969 88968->88236 88969->88961 88970->88968 88972 f93bab 13 API calls 88971->88972 88973 f408dd 88972->88973 88974 f41045 88973->88974 88975 f408e8 88973->88975 88977 f93faf 79 API calls 88974->88977 88976 f408f4 ConvertStringSecurityDescriptorToSecurityDescriptorW 88975->88976 88980 f40a51 __cftof 88975->88980 88982 f40911 88976->88982 88992 f40fdb std::ios_base::_Ios_base_dtor __Mtx_unlock 88976->88992 88978 f4104b 88977->88978 88979 fad60f 25 API calls 88978->88979 88987 f40f65 88979->88987 89119 f43110 88980->89119 88985 f3f520 28 API calls 88982->88985 88983 fa8367 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 88986 f4103f 88983->88986 88984 f40a84 88988 f40fa9 88984->88988 88994 fa8713 std::locale::_Locimp::_Makeushloc 27 API calls 88984->88994 89037 f40c43 codecvt 88984->89037 88989 f40991 88985->88989 88986->88237 89182 f328d1 27 API calls 3 library calls 88987->89182 89181 f42b90 73 API calls ctype 88988->89181 88991 f3e640 87 API calls 88989->88991 88995 f409a4 88991->88995 88992->88983 88999 f40ae1 __cftof 88994->88999 88995->88978 88996 f409ec ctype 88995->88996 89000 f40a31 88996->89000 89001 f40a1d 88996->89001 88997 f389b0 27 API calls 88998 f41087 89003 faa332 Concurrency::cancel_current_task RaiseException 88998->89003 89000->88980 89004 f40a42 LocalFree 89000->89004 89001->88992 89005 f40a25 LocalFree 89001->89005 89006 f41098 89003->89006 89004->88980 89005->88992 89037->88997 89040 f420f9 89039->89040 89042 f42123 89039->89042 89040->89042 89533 fb4ef7 89040->89533 89042->88237 89044 f407cb ctype 89043->89044 89045 fad60f 25 API calls 89044->89045 89047 f4083b __Mtx_destroy_in_situ ctype 89044->89047 89046 f40884 89045->89046 89048 f93bab 13 API calls 89046->89048 89047->88237 89049 f408dd 89048->89049 89050 f41045 89049->89050 89051 f408e8 89049->89051 89053 f93faf 79 API calls 89050->89053 89052 f408f4 ConvertStringSecurityDescriptorToSecurityDescriptorW 89051->89052 89056 f40a51 __cftof 89051->89056 89058 f40911 89052->89058 89068 f40fdb std::ios_base::_Ios_base_dtor __Mtx_unlock 89052->89068 89054 f4104b 89053->89054 89055 fad60f 25 API calls 89054->89055 89063 f40f65 89055->89063 89057 f43110 107 API calls 89056->89057 89060 f40a84 89057->89060 89061 f3f520 28 API calls 89058->89061 89059 fa8367 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 89062 f4103f 89059->89062 89064 f40fa9 89060->89064 89070 fa8713 std::locale::_Locimp::_Makeushloc 27 API calls 89060->89070 89113 f40c43 codecvt 89060->89113 89065 f40991 89061->89065 89062->88237 89571 f328d1 27 API calls 3 library calls 89063->89571 89570 f42b90 73 API calls ctype 89064->89570 89067 f3e640 87 API calls 89065->89067 89071 f409a4 89067->89071 89068->89059 89075 f40ae1 __cftof 89070->89075 89071->89054 89072 f409ec ctype 89071->89072 89076 f40a31 89072->89076 89077 f40a1d 89072->89077 89073 f389b0 27 API calls 89078 f40d38 89073->89078 89074 f41087 89079 faa332 Concurrency::cancel_current_task RaiseException 89074->89079 89083 f93367 std::_Lockit::_Lockit 7 API calls 89075->89083 89076->89056 89080 f40a42 LocalFree 89076->89080 89077->89068 89081 f40a25 LocalFree 89077->89081 89084 f32c9c 5 API calls 89078->89084 89090 f40d68 89078->89090 89082 f41098 89079->89082 89080->89056 89081->89068 89085 f40b0d 89083->89085 89084->89090 89564 f93184 77 API calls 2 library calls 89085->89564 89086 f32c9c 5 API calls 89088 f40e1f 89086->89088 89096 f40e6e 89088->89096 89114 f42310 70 API calls 89088->89114 89089 f40b55 89565 f933f6 48 API calls 3 library calls 89089->89565 89090->89063 89090->89064 89090->89086 89092 f40b61 89566 f33128 77 API calls 3 library calls 89092->89566 89094 f40b8b 89095 f93084 std::locale::_Init 57 API calls 89094->89095 89099 f40b9c 89095->89099 89096->89064 89097 f43030 73 API calls 89096->89097 89098 f40f29 89097->89098 89098->89063 89102 f40f78 89098->89102 89100 f40be6 89099->89100 89103 f93367 std::_Lockit::_Lockit 7 API calls 89099->89103 89567 f95688 84 API calls 9 library calls 89100->89567 89568 f3e790 34 API calls 2 library calls 89102->89568 89105 f40bc5 89103->89105 89104 f40bf7 89109 f40c1e 89104->89109 89111 fae960 std::_Locinfo::_Getdays 14 API calls 89104->89111 89104->89113 89108 f933bf std::_Lockit::~_Lockit 2 API calls 89105->89108 89107 f40f9f 89569 f41740 28 API calls 89107->89569 89108->89100 89112 fb594f _Yarn 15 API calls 89109->89112 89111->89109 89112->89113 89113->89073 89114->89096 89572 f3cc80 89115->89572 89117 f3cd2f ctype 89117->88235 89183 f3be30 89119->89183 89126 f43388 89133 f43333 89126->89133 89208 f328d1 27 API calls 3 library calls 89126->89208 89127 f4328f 89207 f43400 80 API calls 8 library calls 89127->89207 89129 f433e3 89131 faa332 Concurrency::cancel_current_task RaiseException 89129->89131 89132 f433f1 89131->89132 89133->88984 89181->88992 89182->88998 89209 f3c0c0 89183->89209 89188 f3be6f 89190 f3be7c 89188->89190 89218 f92bab 9 API calls 2 library calls 89188->89218 89196 f3bbb0 89190->89196 89191 f3be86 89219 f328d1 27 API calls 3 library calls 89191->89219 89193 f3bebc 89194 faa332 Concurrency::cancel_current_task RaiseException 89193->89194 89195 f3becb 89194->89195 89197 fa8713 std::locale::_Locimp::_Makeushloc 27 API calls 89196->89197 89198 f3bbea 89197->89198 89199 f93084 std::locale::_Init 57 API calls 89198->89199 89200 f3bc01 89199->89200 89200->89126 89201 f940b7 89200->89201 89202 f94011 89201->89202 89203 f43281 89202->89203 89204 f94079 89202->89204 89257 fb5408 70 API calls 89202->89257 89203->89126 89203->89127 89204->89203 89246 fb58cb 89204->89246 89207->89133 89208->89129 89210 fa8713 std::locale::_Locimp::_Makeushloc 27 API calls 89209->89210 89211 f3c13a 89210->89211 89212 f93084 std::locale::_Init 57 API calls 89211->89212 89213 f3be3b 89212->89213 89214 f3bff0 89213->89214 89215 f3c02e 89214->89215 89220 f332de 89215->89220 89218->89190 89219->89193 89221 f332ea __EH_prolog3_GS 89220->89221 89222 f93367 std::_Lockit::_Lockit 7 API calls 89221->89222 89223 f332f7 89222->89223 89240 f32d14 14 API calls 3 library calls 89223->89240 89225 f3330e std::locale::_Locimp::_Makeushloc 89237 f33320 89225->89237 89241 f331d9 80 API calls 6 library calls 89225->89241 89226 f933bf std::_Lockit::~_Lockit 2 API calls 89228 f33365 89226->89228 89243 fa8def 5 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 89228->89243 89229 f3332e 89231 f33335 89229->89231 89232 f3336d 89229->89232 89242 f93052 27 API calls std::locale::_Locimp::_Makeushloc 89231->89242 89244 f33268 RaiseException Concurrency::cancel_current_task ctype 89232->89244 89236 f33372 89245 f932da LCMapStringEx ___crtLCMapStringW 89236->89245 89237->89226 89239 f3338d 89239->89188 89239->89191 89240->89225 89241->89229 89242->89237 89244->89236 89245->89239 89247 fb58d7 CallCatchBlock 89246->89247 89257->89204 89534 fb4f09 89533->89534 89535 fb4f12 ___scrt_uninitialize_crt 89533->89535 89549 fb4d9c 72 API calls ___scrt_uninitialize_crt 89534->89549 89538 fb4f23 89535->89538 89541 fb4d3c 89535->89541 89537 fb4f0f 89537->89042 89538->89042 89542 fb4d48 CallCatchBlock 89541->89542 89550 fb582c EnterCriticalSection 89542->89550 89544 fb4d56 89551 fb4ea6 89544->89551 89548 fb4d79 89548->89042 89549->89537 89550->89544 89552 fb4ebc 89551->89552 89553 fb4eb3 89551->89553 89555 fb4e41 ___scrt_uninitialize_crt 68 API calls 89552->89555 89562 fb4d9c 72 API calls ___scrt_uninitialize_crt 89553->89562 89557 fb4ec2 89555->89557 89556 fb4d67 89561 fb4d90 LeaveCriticalSection ___scrt_uninitialize_crt 89556->89561 89557->89556 89558 fc2e1c __InternalCxxFrameHandler 14 API calls 89557->89558 89559 fb4ed8 89558->89559 89563 fc56f0 18 API calls 2 library calls 89559->89563 89561->89548 89562->89556 89563->89556 89564->89089 89565->89092 89566->89094 89567->89104 89568->89107 89570->89068 89571->89074 89573 f3cc89 89572->89573 89574 f3cccb ctype 89572->89574 89573->89574 89575 fad60f 25 API calls 89573->89575 89574->89117 89576 f3cd1f 89575->89576 89577 f3cc80 25 API calls 89576->89577 89578 f3cd2f ctype 89577->89578 89578->89117 89579->88265 89580->88269 89581->88272 89582 fb22d9 89583 fb22e9 89582->89583 89584 fb22fc 89582->89584 89585 fad73d std::_Stofx_v2 14 API calls 89583->89585 89586 fb230e 89584->89586 89590 fb2321 89584->89590 89606 fb22ee __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __allrem 89585->89606 89587 fad73d std::_Stofx_v2 14 API calls 89586->89587 89587->89606 89588 fb2352 89607 fc3473 14 API calls std::_Stofx_v2 89588->89607 89589 fb2341 89591 fad73d std::_Stofx_v2 14 API calls 89589->89591 89590->89588 89590->89589 89591->89606 89593 fb2369 89594 fb255d 89593->89594 89608 fc349f 14 API calls std::_Stofx_v2 89593->89608 89612 fad62c 11 API calls __InternalCxxFrameHandler 89594->89612 89597 fb237b 89597->89594 89609 fc34cb 14 API calls std::_Stofx_v2 89597->89609 89598 fb2567 89600 fb238d 89600->89594 89601 fb2396 89600->89601 89602 fb241b 89601->89602 89603 fb23b7 89601->89603 89602->89606 89611 fc3f0a 25 API calls 2 library calls 89602->89611 89603->89606 89610 fc3f0a 25 API calls 2 library calls 89603->89610 89607->89593 89608->89597 89609->89600 89610->89606 89611->89606 89612->89598 89613 f5ecd0 89614 f5ece7 lstrlenW 89613->89614 89615 f5ecde 89613->89615 89618 f5ed10 89614->89618 89616 f5ed07 89619 f5ed39 89618->89619 89620 f5ed1a 89618->89620 89619->89616 89620->89619 89621 f5ed22 RegSetValueExW 89620->89621 89621->89616 89628 f5e590 89629 f5e5a5 89628->89629 89630 f5e59a 89628->89630 89633 f5e8c0 RegQueryValueExW 89629->89633 89631 f5e5bf 89633->89631 89634 f5ea50 89636 f5ed10 RegSetValueExW 89634->89636 89635 f5ea63 89636->89635 89637 f5df10 RegCreateKeyExW 89638 f5df52 89637->89638 89639 fc61fa 89640 fc6206 CallCatchBlock 89639->89640 89641 fc620c 89640->89641 89642 fc6223 89640->89642 89643 fad73d std::_Stofx_v2 14 API calls 89641->89643 89650 fb582c EnterCriticalSection 89642->89650 89649 fc6211 89643->89649 89645 fc6233 89651 fc627a 89645->89651 89647 fc623f 89670 fc6270 LeaveCriticalSection ___scrt_uninitialize_crt 89647->89670 89650->89645 89652 fc629f 89651->89652 89653 fc6288 89651->89653 89655 fc2e1c __InternalCxxFrameHandler 14 API calls 89652->89655 89654 fad73d std::_Stofx_v2 14 API calls 89653->89654 89656 fc628d 89654->89656 89657 fc62a9 89655->89657 89656->89647 89671 fc6972 89657->89671 89660 fc638c 89662 fc639a 89660->89662 89665 fc6365 89660->89665 89661 fc6337 89664 fc6351 89661->89664 89661->89665 89663 fad73d std::_Stofx_v2 14 API calls 89662->89663 89669 fc62ee __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 89663->89669 89674 fc65bd 24 API calls 4 library calls 89664->89674 89665->89669 89675 fc63fe 18 API calls 2 library calls 89665->89675 89667 fc635d 89667->89669 89669->89647 89670->89649 89676 fc67ea 89671->89676 89673 fc62c4 89673->89660 89673->89661 89673->89669 89674->89667 89675->89669 89677 fc67f6 CallCatchBlock 89676->89677 89678 fc67fe 89677->89678 89679 fc6816 89677->89679 89709 fad72a 14 API calls __dosmaperr 89678->89709 89681 fc68c7 89679->89681 89685 fc684b 89679->89685 89712 fad72a 14 API calls __dosmaperr 89681->89712 89682 fc6803 89684 fad73d std::_Stofx_v2 14 API calls 89682->89684 89690 fc680b 89684->89690 89699 fcace1 EnterCriticalSection 89685->89699 89686 fc68cc 89688 fad73d std::_Stofx_v2 14 API calls 89686->89688 89688->89690 89689 fc6851 89691 fc688a 89689->89691 89692 fc6875 89689->89692 89690->89673 89700 fc68f6 89691->89700 89693 fad73d std::_Stofx_v2 14 API calls 89692->89693 89695 fc687a 89693->89695 89710 fad72a 14 API calls __dosmaperr 89695->89710 89696 fc6885 89711 fc68bf LeaveCriticalSection __wsopen_s 89696->89711 89699->89689 89701 fcaf5d __wsopen_s 14 API calls 89700->89701 89702 fc6908 89701->89702 89703 fc6910 89702->89703 89704 fc6921 SetFilePointerEx 89702->89704 89705 fad73d std::_Stofx_v2 14 API calls 89703->89705 89706 fc6915 89704->89706 89707 fc6939 GetLastError 89704->89707 89705->89706 89706->89696 89713 fad707 14 API calls 2 library calls 89707->89713 89709->89682 89710->89696 89711->89690 89712->89686 89713->89706 89717 fbed30 89718 fbed39 89717->89718 89722 fbed4f 89717->89722 89718->89722 89723 fbed5c 89718->89723 89720 fbed46 89720->89722 89736 fbf009 15 API calls 3 library calls 89720->89736 89724 fbed68 89723->89724 89725 fbed65 89723->89725 89737 fca3f0 89724->89737 89725->89720 89730 fbed7a 89732 fc2098 _free 14 API calls 89730->89732 89734 fbeda9 89732->89734 89733 fbed85 89735 fc2098 _free 14 API calls 89733->89735 89734->89720 89735->89730 89736->89722 89738 fca3f9 89737->89738 89739 fbed6f 89737->89739 89756 fc1d66 48 API calls 3 library calls 89738->89756 89743 fca690 GetEnvironmentStringsW 89739->89743 89741 fca41c 89757 fca234 56 API calls 3 library calls 89741->89757 89744 fca6a7 89743->89744 89754 fca6fd 89743->89754 89758 fc98ff 89744->89758 89745 fbed74 89745->89730 89755 fbedfd 25 API calls 4 library calls 89745->89755 89746 fca706 FreeEnvironmentStringsW 89746->89745 89748 fca6c0 89749 fc2174 std::_Locinfo::_W_Getmonths 15 API calls 89748->89749 89748->89754 89750 fca6d0 89749->89750 89751 fc98ff __cftof WideCharToMultiByte 89750->89751 89752 fca6e8 89750->89752 89751->89752 89753 fc2098 _free 14 API calls 89752->89753 89753->89754 89754->89745 89754->89746 89755->89733 89756->89741 89757->89739 89759 fc9918 WideCharToMultiByte 89758->89759 89759->89748 89761 f55318 89878 fa88fa EnterCriticalSection 89761->89878 89763 f55322 89764 fa8713 std::locale::_Locimp::_Makeushloc 27 API calls 89763->89764 89861 f5571a 89763->89861 89766 f5535e 89764->89766 89765 f56440 27 API calls 89767 f5575a GetModuleHandleW 89765->89767 89883 f54a40 89766->89883 89772 f55816 89767->89772 89769 f553a7 89771 f54a40 33 API calls 89769->89771 89773 f553ba 89771->89773 89775 f56440 27 API calls 89772->89775 89774 f54a40 33 API calls 89773->89774 89777 f553cb 89774->89777 89776 f55885 89775->89776 89778 f565c0 25 API calls 89776->89778 89890 f561f0 29 API calls 3 library calls 89777->89890 89780 f5588c 89778->89780 89782 f56440 27 API calls 89780->89782 89781 f553e9 89783 f54a40 33 API calls 89781->89783 89791 f5595c 89782->89791 89784 f55486 89783->89784 89785 f54a40 33 API calls 89784->89785 89786 f55499 89785->89786 89787 f54a40 33 API calls 89786->89787 89788 f554aa 89787->89788 89891 f561f0 29 API calls 3 library calls 89788->89891 89790 f554c8 89792 f54a40 33 API calls 89790->89792 89793 f56440 27 API calls 89791->89793 89794 f55565 89792->89794 89800 f55ae8 89793->89800 89795 f54a40 33 API calls 89794->89795 89796 f55578 89795->89796 89797 f54a40 33 API calls 89796->89797 89798 f55589 89797->89798 89892 f561f0 29 API calls 3 library calls 89798->89892 89826 f55b83 std::ios_base::_Ios_base_dtor ctype 89800->89826 89896 f311f3 29 API calls 2 library calls 89800->89896 89801 f555a7 89805 f54a40 33 API calls 89801->89805 89803 f55bdb 89806 f55be6 89803->89806 89814 f55cfc ctype 89803->89814 89804 f56440 27 API calls 89812 f55cc5 89804->89812 89807 f5564e 89805->89807 89808 f39bb0 125 API calls 89806->89808 89809 f54a40 33 API calls 89807->89809 89811 f55beb 89808->89811 89813 f55661 89809->89813 89810 f56440 27 API calls 89815 f55d62 89810->89815 89816 f39940 171 API calls 89811->89816 89817 f55de7 89812->89817 89818 f55e30 89812->89818 89834 f55cd3 codecvt 89812->89834 89819 f54a40 33 API calls 89813->89819 89814->89810 89815->89826 89898 f4aad0 28 API calls 4 library calls 89815->89898 89820 f55bfb 89816->89820 89821 f56085 Concurrency::cancel_current_task 89817->89821 89822 f55df2 89817->89822 89830 fa8713 std::locale::_Locimp::_Makeushloc 27 API calls 89818->89830 89818->89834 89823 f55672 89819->89823 89825 f31b84 84 API calls 89820->89825 89827 f5608a 89821->89827 89828 fa8713 std::locale::_Locimp::_Makeushloc 27 API calls 89822->89828 89893 f561f0 29 API calls 3 library calls 89823->89893 89831 f55c17 89825->89831 89826->89804 89833 fad60f 25 API calls 89827->89833 89828->89834 89830->89834 89897 f31be0 81 API calls 89831->89897 89837 f5608f 89833->89837 89834->89827 89840 f55ebc ctype 89834->89840 89835 f55690 89843 fa8713 std::locale::_Locimp::_Makeushloc 27 API calls 89835->89843 89836 f55c27 89838 f3b8a0 170 API calls 89836->89838 89839 fad60f 25 API calls 89837->89839 89838->89826 89854 f56094 ctype 89839->89854 89842 f56440 27 API calls 89840->89842 89858 f55f73 ctype 89840->89858 89841 f55f82 GetModuleHandleW 89844 f55f95 GetProcAddress 89841->89844 89845 f55fc1 89841->89845 89846 f55f2f 89842->89846 89847 f556d2 89843->89847 89844->89845 89849 f55fa7 GetCurrentProcess 89844->89849 89852 f56440 27 API calls 89845->89852 89850 f55f45 89846->89850 89899 f4aad0 28 API calls 4 library calls 89846->89899 89894 fa85bf 17 API calls 89847->89894 89849->89845 89850->89837 89850->89841 89850->89858 89859 f56022 89852->89859 89853 f560f4 89865 f5610e SysFreeString 89853->89865 89869 f5611b ctype 89853->89869 89870 f56166 ctype 89854->89870 89904 f567b0 26 API calls ctype 89854->89904 89856 f55710 89895 fa88b0 EnterCriticalSection LeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 89856->89895 89858->89841 89900 f336db 27 API calls collate 89859->89900 89860 fad60f 25 API calls 89863 f561d9 89860->89863 89861->89765 89864 f5602a 89901 f3372a 5 API calls collate 89864->89901 89865->89869 89866 f561b4 ctype 89867 f56159 SysFreeString 89867->89870 89869->89867 89869->89870 89870->89860 89870->89866 89871 f56032 89902 f3372a 5 API calls collate 89871->89902 89873 f5603a 89903 f3372a 5 API calls collate 89873->89903 89875 f56042 89876 fa8367 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 89875->89876 89877 f56059 89876->89877 89879 fa890e 89878->89879 89880 fa8913 LeaveCriticalSection 89879->89880 89905 fa8982 SleepConditionVariableCS LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 89879->89905 89880->89763 89884 fa8713 std::locale::_Locimp::_Makeushloc 27 API calls 89883->89884 89885 f54a6e 89884->89885 89888 f54aa5 _com_issue_error 89885->89888 89906 fa9900 89885->89906 89887 f54ab8 ctype 89887->89769 89888->89887 89889 f54afc SysFreeString 89888->89889 89889->89887 89890->89781 89891->89790 89892->89801 89893->89835 89894->89856 89895->89861 89896->89803 89897->89836 89898->89826 89899->89850 89900->89864 89901->89871 89902->89873 89903->89875 89904->89853 89905->89879 89907 fa993d 89906->89907 89908 fa9960 89906->89908 89909 fa8367 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 89907->89909 89911 fa997f MultiByteToWideChar 89908->89911 89912 fa9a33 _com_issue_error 89908->89912 89910 fa995a 89909->89910 89910->89888 89913 fa999c 89911->89913 89914 fa9a47 GetLastError 89911->89914 89912->89914 89915 fb594f _Yarn 15 API calls 89913->89915 89916 fa99ae __Strcoll 89913->89916 89918 fa9a51 _com_issue_error 89914->89918 89915->89916 89916->89912 89920 fa99fa MultiByteToWideChar 89916->89920 89917 fa9a70 GetLastError 89923 fa9a7a _com_issue_error 89917->89923 89918->89917 89919 fae960 std::_Locinfo::_Getdays 14 API calls 89918->89919 89921 fa9a6d 89919->89921 89920->89918 89922 fa9a0e SysAllocString 89920->89922 89921->89917 89924 fa9a25 89922->89924 89925 fa9a1f 89922->89925 89923->89888 89924->89907 89924->89912 89926 fae960 std::_Locinfo::_Getdays 14 API calls 89925->89926 89926->89924 89927 fa9c54 89928 fa9bdf 89927->89928 89929 f9293c ___delayLoadHelper2@8 16 API calls 89928->89929 89929->89928 89930 fc5192 89931 fc2e1c __InternalCxxFrameHandler 14 API calls 89930->89931 89932 fc51a0 89931->89932 89933 fc51ce 89932->89933 89934 fc51af 89932->89934 89936 fc51dc 89933->89936 89937 fc51e9 89933->89937 89935 fad73d std::_Stofx_v2 14 API calls 89934->89935 89943 fc51b4 89935->89943 89938 fad73d std::_Stofx_v2 14 API calls 89936->89938 89942 fc51fc 89937->89942 89958 fc555a 16 API calls __wsopen_s 89937->89958 89938->89943 89940 fc527b 89947 fc53c0 89940->89947 89942->89940 89942->89943 89944 fcec2a __wsopen_s 14 API calls 89942->89944 89945 fc526e 89942->89945 89944->89945 89945->89940 89959 fc55f5 15 API calls 2 library calls 89945->89959 89948 fc2e1c __InternalCxxFrameHandler 14 API calls 89947->89948 89949 fc53cf 89948->89949 89950 fc5472 89949->89950 89951 fc53e2 89949->89951 89952 fc5ee6 __wsopen_s 68 API calls 89950->89952 89953 fc53ff 89951->89953 89956 fc5423 89951->89956 89955 fc540c 89952->89955 89954 fc5ee6 __wsopen_s 68 API calls 89953->89954 89954->89955 89955->89943 89956->89955 89957 fc6972 18 API calls 89956->89957 89957->89955 89958->89942 89959->89940 89960 fceced 89961 fcecf9 CallCatchBlock 89960->89961 89968 fbcd41 EnterCriticalSection 89961->89968 89963 fced04 89969 fced4c 89963->89969 89965 fced1a 89984 fced43 LeaveCriticalSection std::_Lockit::~_Lockit 89965->89984 89967 fced2e 89968->89963 89970 fced6e 89969->89970 89971 fced5b 89969->89971 89973 fcedbc 89970->89973 89974 fced80 89970->89974 89972 fad73d std::_Stofx_v2 14 API calls 89971->89972 89977 fced60 89972->89977 89975 fad73d std::_Stofx_v2 14 API calls 89973->89975 89985 fcec80 89974->89985 89975->89977 89977->89965 89980 fcedd7 89980->89977 89981 fcede5 89980->89981 89990 fad62c 11 API calls __InternalCxxFrameHandler 89981->89990 89983 fcedf1 89984->89967 89987 fcec8d 89985->89987 89986 fcece0 89986->89977 89989 fc18d3 14 API calls std::_Stofx_v2 89986->89989 89987->89986 89991 fd129f 50 API calls 89987->89991 89989->89980 89990->89983 89991->89987 89992 fc3e2f 89993 fc2174 std::_Locinfo::_W_Getmonths 15 API calls 89992->89993 89994 fc3e3a 89993->89994 89996 fc3e41 89994->89996 89997 fc3e67 89994->89997 89995 fc2098 _free 14 API calls 89999 fc3e47 89995->89999 89996->89995 89998 fc2098 _free 14 API calls 89997->89998 89998->89999 90000 fc2098 _free 14 API calls 89999->90000 90001 fc3e9d 90000->90001 90002 fa8367 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 90001->90002 90003 fc3eab 90002->90003 90004 f429e0 90005 f42a00 90004->90005 90007 f42a15 90004->90007 90006 fa8367 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 90005->90006 90008 f42a0f 90006->90008 90009 f42a2b 90007->90009 90019 f42a54 90007->90019 90011 fa8367 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 90009->90011 90010 f42b4c 90012 fa8367 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 90010->90012 90013 f42a4e 90011->90013 90014 f42b60 90012->90014 90016 f42ae0 90016->90010 90017 f42af0 90016->90017 90020 fa8367 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 90017->90020 90018 f42b07 90023 f42b1f 90018->90023 90024 fb569d 70 API calls 90018->90024 90019->90010 90019->90018 90021 f42a86 90019->90021 90022 f42b01 90020->90022 90021->90010 90028 fb4762 52 API calls 3 library calls 90021->90028 90023->90010 90025 f42b34 90023->90025 90024->90023 90026 fa8367 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 90025->90026 90027 f42b46 90026->90027 90028->90016 90033 fc732a 90038 fc70bf 90033->90038 90035 fc7340 90036 fc7369 90035->90036 90048 fd0408 90035->90048 90041 fc70ed ___vcrt_InitializeCriticalSectionEx 90038->90041 90039 fad73d std::_Stofx_v2 14 API calls 90040 fc7248 90039->90040 90040->90035 90046 fc723d 90041->90046 90051 fb2041 90041->90051 90043 fc72a5 90044 fb2041 49 API calls 90043->90044 90043->90046 90045 fc72c3 90044->90045 90045->90046 90047 fb2041 49 API calls 90045->90047 90046->90039 90046->90040 90047->90046 90060 fcfb11 90048->90060 90050 fd0423 90050->90036 90052 fb2072 90051->90052 90053 fb204f 90051->90053 90059 fb208d 49 API calls 3 library calls 90052->90059 90053->90052 90054 fb2055 90053->90054 90056 fad73d std::_Stofx_v2 14 API calls 90054->90056 90058 fb205a 90056->90058 90057 fb2088 90057->90043 90058->90043 90059->90057 90061 fcfb1d CallCatchBlock 90060->90061 90062 fcfb24 90061->90062 90064 fcfb4f 90061->90064 90063 fad73d std::_Stofx_v2 14 API calls 90062->90063 90067 fcfb29 90063->90067 90069 fd00de 90064->90069 90067->90050 90117 fcfeba 90069->90117 90072 fd0129 90131 fcadb9 90072->90131 90073 fd0110 90145 fad72a 14 API calls __dosmaperr 90073->90145 90077 fd0115 90082 fad73d std::_Stofx_v2 14 API calls 90077->90082 90078 fd014e 90144 fcfe25 CreateFileW 90078->90144 90079 fd0137 90146 fad72a 14 API calls __dosmaperr 90079->90146 90105 fcfb73 90082->90105 90083 fd013c 90084 fad73d std::_Stofx_v2 14 API calls 90083->90084 90084->90077 90085 fd0204 GetFileType 90086 fd020f GetLastError 90085->90086 90087 fd0256 90085->90087 90149 fad707 14 API calls 2 library calls 90086->90149 90150 fcad04 15 API calls 3 library calls 90087->90150 90088 fd01d9 GetLastError 90148 fad707 14 API calls 2 library calls 90088->90148 90091 fd0187 90091->90085 90091->90088 90147 fcfe25 CreateFileW 90091->90147 90092 fd021d CloseHandle 90092->90077 90096 fd0246 90092->90096 90095 fd01cc 90095->90085 90095->90088 90098 fad73d std::_Stofx_v2 14 API calls 90096->90098 90097 fd0277 90099 fd02c3 90097->90099 90151 fd0034 70 API calls 3 library calls 90097->90151 90100 fd024b 90098->90100 90104 fd02ca 90099->90104 90152 fcfbd2 71 API calls 3 library calls 90099->90152 90100->90077 90103 fd02f8 90103->90104 90107 fd0306 90103->90107 90106 fc6b6c __wsopen_s 17 API calls 90104->90106 90116 fcfba6 LeaveCriticalSection __wsopen_s 90105->90116 90106->90105 90107->90105 90108 fd0382 CloseHandle 90107->90108 90153 fcfe25 CreateFileW 90108->90153 90110 fd03ad 90111 fd03e3 90110->90111 90112 fd03b7 GetLastError 90110->90112 90111->90105 90154 fad707 14 API calls 2 library calls 90112->90154 90114 fd03c3 90155 fcaecc 15 API calls 3 library calls 90114->90155 90116->90067 90118 fcfedb 90117->90118 90121 fcfeea 90117->90121 90120 fad73d std::_Stofx_v2 14 API calls 90118->90120 90118->90121 90120->90121 90156 fcfe4a 90121->90156 90122 fcff2d 90123 fcff51 90122->90123 90124 fad73d std::_Stofx_v2 14 API calls 90122->90124 90129 fcffaf 90123->90129 90161 fbf7e4 14 API calls std::_Stofx_v2 90123->90161 90124->90123 90126 fcffaa 90127 fd0027 90126->90127 90126->90129 90162 fad62c 11 API calls __InternalCxxFrameHandler 90127->90162 90129->90072 90129->90073 90130 fd0033 90132 fcadc5 CallCatchBlock 90131->90132 90163 fbcd41 EnterCriticalSection 90132->90163 90134 fcae13 90164 fcaec3 90134->90164 90136 fcadf1 90167 fcab93 15 API calls 3 library calls 90136->90167 90139 fcadcc 90139->90134 90139->90136 90141 fcae60 EnterCriticalSection 90139->90141 90140 fcadf6 90140->90134 90168 fcace1 EnterCriticalSection 90140->90168 90141->90134 90142 fcae6d LeaveCriticalSection 90141->90142 90142->90139 90144->90091 90145->90077 90146->90083 90147->90095 90148->90077 90149->90092 90150->90097 90151->90099 90152->90103 90153->90110 90154->90114 90155->90111 90157 fcfe62 90156->90157 90158 fcfe7d 90157->90158 90159 fad73d std::_Stofx_v2 14 API calls 90157->90159 90158->90122 90160 fcfea1 90159->90160 90160->90122 90161->90126 90162->90130 90163->90139 90169 fbcd91 LeaveCriticalSection 90164->90169 90166 fcae33 90166->90078 90166->90079 90167->90140 90168->90134 90169->90166 90170 fa8aa2 90171 fa8aae CallCatchBlock 90170->90171 90198 fa83f9 90171->90198 90173 fa8ab5 90174 fa8c08 90173->90174 90182 fa8adf ___scrt_is_nonwritable_in_current_image __InternalCxxFrameHandler ___scrt_release_startup_lock 90173->90182 90217 fa93f2 4 API calls 2 library calls 90174->90217 90176 fa8c0f 90210 fbe9fc 90176->90210 90180 fa8c1d 90181 fa8afe 90182->90181 90183 fa8b80 90182->90183 90186 fa8b78 90182->90186 90206 fa950d GetStartupInfoW __cftof 90183->90206 90185 fa8b85 90207 f359aa 90185->90207 90213 fbc768 54 API calls 4 library calls 90186->90213 90188 fa8b7f 90188->90183 90192 fa8ba1 90192->90176 90193 fa8ba5 90192->90193 90194 fa8bae 90193->90194 90215 fbe9b1 23 API calls __InternalCxxFrameHandler 90193->90215 90216 fa856a 79 API calls ___scrt_uninitialize_crt 90194->90216 90197 fa8bb6 90197->90181 90199 fa8402 90198->90199 90219 fa9215 IsProcessorFeaturePresent 90199->90219 90201 fa840e 90220 fabd89 10 API calls 2 library calls 90201->90220 90203 fa8413 90204 fa8417 90203->90204 90221 fabda8 7 API calls 2 library calls 90203->90221 90204->90173 90206->90185 90222 f34e1f 90207->90222 93572 fbe89a 90210->93572 90213->90188 90214 fa9543 GetModuleHandleW 90214->90192 90215->90194 90216->90197 90217->90176 90218 fbe9c0 23 API calls __InternalCxxFrameHandler 90218->90180 90219->90201 90220->90203 90221->90204 90465 f5d6d0 GetModuleHandleW 90222->90465 90224 f34e6c 90225 f34ec6 90224->90225 90227 f39bb0 125 API calls 90224->90227 90469 f34d63 90225->90469 90229 f34e7a 90227->90229 90230 f39940 171 API calls 90229->90230 90233 f34e8a 90230->90233 90231 f34ee0 90235 f39bb0 125 API calls 90231->90235 90232 f34f39 CoInitializeEx 90234 f34f48 90232->90234 90236 f31b84 84 API calls 90233->90236 90237 f34f56 90234->90237 90489 f35a4f 90234->90489 90239 f34ee5 90235->90239 90240 f34eab 90236->90240 90241 fa8760 27 API calls 90237->90241 90242 f39940 171 API calls 90239->90242 90716 f31be0 81 API calls 90240->90716 90244 f34f78 90241->90244 90245 f34ef5 90242->90245 90526 f35d57 90244->90526 90247 f31b84 84 API calls 90245->90247 90246 f34ebb 90717 f3136c 90246->90717 90248 f34f16 90247->90248 90720 f31be0 81 API calls 90248->90720 90252 f34f91 90254 f34ff1 90252->90254 90255 f34f9b 90252->90255 90253 f34f26 90256 f3136c 170 API calls 90253->90256 90259 fa8760 27 API calls 90254->90259 90257 f39bb0 125 API calls 90255->90257 90258 f34f31 90256->90258 90260 f34fa0 90257->90260 90263 f358e3 CloseHandle 90258->90263 90264 f358ef 90258->90264 90261 f35004 90259->90261 90262 f39940 171 API calls 90260->90262 90530 f35db6 90261->90530 90265 f34fb0 90262->90265 90263->90264 90266 fa8367 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 90264->90266 90268 f31b84 84 API calls 90265->90268 90269 f3590c 90266->90269 90271 f34fd1 90268->90271 90269->90214 90270 f35020 90272 f3507b __cftof 90270->90272 90273 f3502e 90270->90273 90721 f31be0 81 API calls 90271->90721 90279 fa8760 27 API calls 90272->90279 90275 f39bb0 125 API calls 90273->90275 90277 f35033 90275->90277 90276 f34fe1 90278 f3136c 170 API calls 90276->90278 90280 f39940 171 API calls 90277->90280 90284 f34fec 90278->90284 90281 f350c0 90279->90281 90282 f35043 90280->90282 90289 f350d6 90281->90289 90723 f46bd0 29 API calls 3 library calls 90281->90723 90283 f31b84 84 API calls 90282->90283 90287 f3505b 90283->90287 90715 f359c2 ReleaseMutex 90284->90715 90722 f31be0 81 API calls 90287->90722 90288 f358ce 90288->90258 90292 f358d4 CoUninitialize 90288->90292 90534 f35e16 90289->90534 90292->90258 90293 f350e7 90295 f350f2 90293->90295 90299 f35143 90293->90299 90294 f3506b 90296 f3136c 170 API calls 90294->90296 90297 f39bb0 125 API calls 90295->90297 90296->90284 90298 f350f7 90297->90298 90300 f39940 171 API calls 90298->90300 90540 f63670 90299->90540 90302 f35107 90300->90302 90303 f31b84 84 API calls 90302->90303 90305 f35123 90303->90305 90724 f31be0 81 API calls 90305->90724 90306 f351f7 CommandLineToArgvW 90317 f35235 90306->90317 90318 f35284 __cftof 90306->90318 90307 f351ab 90308 f39bb0 125 API calls 90307->90308 90310 f351b0 90308->90310 90312 f39940 171 API calls 90310->90312 90311 f35133 90313 f3136c 170 API calls 90311->90313 90314 f351c0 90312->90314 90323 f3513e 90313->90323 90316 f31b84 84 API calls 90314->90316 90319 f351dc 90316->90319 90320 f39bb0 125 API calls 90317->90320 90322 f35296 GetModuleFileNameW 90318->90322 90725 f31be0 81 API calls 90319->90725 90325 f3523a 90320->90325 90328 f352b2 90322->90328 90329 f3531d 90322->90329 90746 f35946 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 90323->90746 90326 f39940 171 API calls 90325->90326 90330 f3524a 90326->90330 90332 f39bb0 125 API calls 90328->90332 90574 f3d730 90329->90574 90333 f31b84 84 API calls 90330->90333 90336 f352b7 90332->90336 90337 f35266 90333->90337 90335 f3532c __cftof 90340 f35344 GetLongPathNameW 90335->90340 90338 f39940 171 API calls 90336->90338 90726 f31be0 81 API calls 90337->90726 90341 f352c7 90338->90341 90466 f5d6fd 90465->90466 90467 f5d6df GetProcAddress 90465->90467 90466->90224 90467->90466 90468 f5d6ef 90467->90468 90468->90224 90747 f34c8e GetCurrentProcessId 90469->90747 90472 f34df0 90472->90231 90472->90232 90473 f34d7f CreateMutexW 90474 f34d92 90473->90474 90475 f34df4 WaitForSingleObject 90473->90475 90477 f39bb0 125 API calls 90474->90477 90475->90472 90476 f34e06 90475->90476 90476->90472 90478 f34e0b CloseHandle 90476->90478 90479 f34d97 90477->90479 90478->90472 90480 f39940 171 API calls 90479->90480 90481 f34da5 90480->90481 90482 f31b84 84 API calls 90481->90482 90483 f34dc2 90482->90483 90759 f31be0 81 API calls 90483->90759 90485 f34dd0 GetLastError 90486 f36140 80 API calls 90485->90486 90487 f34de7 90486->90487 90488 f3136c 170 API calls 90487->90488 90488->90472 90490 f35a5e __EH_prolog3_GS 90489->90490 90869 f35c1e 90490->90869 90493 f35a78 90495 f39bb0 125 API calls 90493->90495 90494 f35b92 _com_issue_error 90496 f35a7d 90495->90496 90497 f39940 171 API calls 90496->90497 90498 f35a8d 90497->90498 90499 f31b84 84 API calls 90498->90499 90501 f35aa9 90499->90501 90500 f35acc 90500->90494 90502 f35af5 90500->90502 90503 f35b38 90500->90503 90876 f31be0 81 API calls 90501->90876 90504 f39bb0 125 API calls 90502->90504 90506 f39bb0 125 API calls 90503->90506 90507 f35afa 90504->90507 90509 f35b3d 90506->90509 90510 f39940 171 API calls 90507->90510 90508 f35ab9 90877 f36300 80 API calls 90508->90877 90512 f39940 171 API calls 90509->90512 90513 f35b0a 90510->90513 90515 f35b4d 90512->90515 90516 f31b84 84 API calls 90513->90516 90514 f35ac7 90518 f3136c 170 API calls 90514->90518 90517 f31b84 84 API calls 90515->90517 90519 f35b26 90516->90519 90520 f35b69 90517->90520 90521 f35b84 90518->90521 90878 f31be0 81 API calls 90519->90878 90879 f31be0 81 API calls 90520->90879 90880 fa8def 5 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 90521->90880 90527 f35d63 __EH_prolog3 90526->90527 90528 fa8713 std::locale::_Locimp::_Makeushloc 27 API calls 90527->90528 90529 f35d7c std::locale::_Locimp::_Makeushloc ctype 90528->90529 90529->90252 90531 f35dc2 __EH_prolog3 90530->90531 90532 fa8713 std::locale::_Locimp::_Makeushloc 27 API calls 90531->90532 90533 f35ddb std::locale::_Locimp::_Makeushloc 90532->90533 90533->90270 90535 f35e22 __EH_prolog3 90534->90535 90536 fa8713 std::locale::_Locimp::_Makeushloc 27 API calls 90535->90536 90537 f35e3b 90536->90537 90881 f35eee 90537->90881 90539 f35e6c std::locale::_Locimp::_Makeushloc 90539->90293 90543 f636ae 90540->90543 90542 f63750 90544 fa8713 std::locale::_Locimp::_Makeushloc 27 API calls 90542->90544 90572 f63977 90542->90572 90543->90572 90886 f46d24 90543->90886 90545 f6375f 90544->90545 90550 f63799 90545->90550 91113 f68ba0 27 API calls std::locale::_Locimp::_Makeushloc 90545->91113 90546 f639df 90548 fa8367 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 90546->90548 90551 f351a7 90548->90551 90932 f69400 GetModuleHandleW 90550->90932 90551->90306 90551->90307 90572->90546 91135 f68650 90572->91135 90575 f3d76f 90574->90575 90576 f3d796 90574->90576 90575->90335 90577 f3d7ab 90576->90577 90590 f3d8bc 90576->90590 90578 f3da86 90577->90578 90582 f3d80b 90577->90582 90589 f3d7de codecvt ctype 90577->90589 90580 f3da90 90581 f3da8b Concurrency::cancel_current_task 90581->90580 90582->90581 90590->90580 90590->90581 90590->90589 90594 f3d953 90590->90594 90595 f3d97a 90590->90595 90594->90581 90595->90589 90715->90288 90716->90246 90718 f3b8a0 170 API calls 90717->90718 90719 f3139a std::ios_base::_Ios_base_dtor 90718->90719 90719->90225 90720->90253 90721->90276 90722->90294 90723->90289 90724->90311 90746->90284 90748 f34cb0 CreateToolhelp32Snapshot 90747->90748 90749 f34cc5 Process32FirstW 90748->90749 90750 f34cdd 90748->90750 90749->90750 90750->90748 90751 f34ce3 Process32NextW 90750->90751 90754 f34cf9 FindCloseChangeNotification 90750->90754 90756 fb2041 49 API calls 90750->90756 90757 f33899 5 API calls 90750->90757 90758 f34d44 90750->90758 90760 f44590 90750->90760 90751->90750 90753 fa8367 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 90755 f34d58 90753->90755 90754->90750 90755->90472 90755->90473 90756->90750 90757->90750 90758->90753 90759->90485 90771 f44760 90760->90771 90762 fa8367 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 90764 f4468c 90762->90764 90764->90750 90765 f44693 90767 fad60f 25 API calls 90765->90767 90766 f44650 ctype 90766->90762 90768 f44698 90767->90768 90769 f446b3 90768->90769 90770 f446ac CloseHandle 90768->90770 90769->90750 90770->90769 90782 f44200 OpenProcess 90771->90782 90773 f447a8 90774 f447b2 90773->90774 90854 f3daa0 29 API calls 4 library calls 90773->90854 90777 f44935 90774->90777 90780 f447e2 ctype 90774->90780 90776 fa8367 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 90778 f44604 90776->90778 90779 fad60f 25 API calls 90777->90779 90778->90765 90778->90766 90781 f4493a 90779->90781 90780->90776 90783 f44267 90782->90783 90789 f44310 90782->90789 90784 f39bb0 125 API calls 90783->90784 90785 f4426c 90784->90785 90787 f39940 171 API calls 90785->90787 90786 f446c0 28 API calls 90788 f44351 QueryFullProcessImageNameW 90786->90788 90791 f4427c 90787->90791 90788->90789 90790 f44375 GetLastError 90788->90790 90789->90786 90793 f4447f 90789->90793 90790->90789 90792 f44387 90790->90792 90794 f31b84 84 API calls 90791->90794 90795 f39bb0 125 API calls 90792->90795 90796 f39bb0 125 API calls 90793->90796 90797 f44298 90794->90797 90799 f4438c 90795->90799 90800 f44484 90796->90800 90864 f31cc0 81 API calls 90797->90864 90802 f39940 171 API calls 90799->90802 90803 f39940 171 API calls 90800->90803 90801 f442a3 90805 f36140 80 API calls 90801->90805 90806 f4439c 90802->90806 90804 f44494 90803->90804 90807 f31b84 84 API calls 90804->90807 90808 f442b1 90805->90808 90809 f31b84 84 API calls 90806->90809 90810 f444b0 90807->90810 90811 f44940 81 API calls 90808->90811 90812 f443b8 90809->90812 90865 f31be0 81 API calls 90810->90865 90814 f442bc GetLastError 90811->90814 90855 f449d0 90812->90855 90817 f36140 80 API calls 90814->90817 90816 f444c0 90819 f36140 80 API calls 90816->90819 90820 f442d3 90817->90820 90818 f443c3 90821 f36140 80 API calls 90818->90821 90822 f444ce 90819->90822 90823 f3b8a0 170 API calls 90820->90823 90824 f443d1 90821->90824 90866 f44a60 81 API calls 90822->90866 90832 f442de std::ios_base::_Ios_base_dtor 90823->90832 90860 f44940 90824->90860 90827 f444d9 90829 f34190 5 API calls 90827->90829 90831 f444f5 90829->90831 90830 f36140 80 API calls 90833 f443ea 90830->90833 90836 f3b8a0 170 API calls 90831->90836 90835 fa8367 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 90832->90835 90834 f3b8a0 170 API calls 90833->90834 90838 f443f5 std::ios_base::_Ios_base_dtor 90834->90838 90837 f4457a 90835->90837 90840 f44462 std::ios_base::_Ios_base_dtor ctype 90836->90840 90837->90773 90838->90840 90841 f44581 90838->90841 90839 f4455a CloseHandle 90839->90832 90840->90832 90840->90839 90842 fad60f 25 API calls 90841->90842 90843 f44586 90842->90843 90844 f44760 210 API calls 90843->90844 90846 f44604 90844->90846 90845 fa8367 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 90847 f4468c 90845->90847 90848 f44693 90846->90848 90849 f44650 ctype 90846->90849 90847->90773 90850 fad60f 25 API calls 90848->90850 90849->90845 90851 f44698 90850->90851 90852 f446b3 90851->90852 90853 f446ac CloseHandle 90851->90853 90852->90773 90853->90852 90854->90774 90856 f44a0c 90855->90856 90857 f44a3e 90855->90857 90867 f320a0 81 API calls 3 library calls 90856->90867 90857->90818 90859 f44a1e 90859->90818 90861 f4497c 90860->90861 90862 f443dc 90860->90862 90868 f320a0 81 API calls 3 library calls 90861->90868 90862->90830 90864->90801 90865->90816 90866->90827 90867->90859 90868->90862 90870 f35c64 CoCreateInstance 90869->90870 90871 f35c54 90869->90871 90872 f35c86 OleRun 90870->90872 90873 f35c95 90870->90873 90871->90870 90872->90873 90874 fa8367 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 90873->90874 90875 f35a71 90874->90875 90875->90493 90875->90500 90876->90508 90877->90514 90878->90508 90879->90514 90882 f35ef5 90881->90882 90884 f35efc ctype 90881->90884 90885 f35f8a 5 API calls 2 library calls 90882->90885 90884->90539 90887 f46d30 90886->90887 90894 f46ec8 std::ios_base::_Ios_base_dtor __Mtx_unlock 90886->90894 90888 f46d3e 90887->90888 90889 f46dff 90887->90889 90891 fa8760 27 API calls 90888->90891 90890 fa8760 27 API calls 90889->90890 90892 f46e09 90890->90892 90893 f46d48 90891->90893 90900 f46db6 90892->90900 91168 f4ce00 90892->91168 90896 f4ce00 217 API calls 90893->90896 90893->90900 90894->90542 90897 f46d63 90896->90897 90901 f93b8a __Mtx_init_in_situ 2 API calls 90897->90901 90898 f46ed1 90931 f4e380 231 API calls 90898->90931 90899 f46e52 90902 f39bb0 125 API calls 90899->90902 90900->90898 90900->90899 90903 f46d80 90901->90903 90905 f46e57 90902->90905 90904 fa8713 std::locale::_Locimp::_Makeushloc 27 API calls 90903->90904 90904->90900 90906 f39940 171 API calls 90905->90906 90908 f46e67 90906->90908 90907 f46ee3 90907->90894 90910 f39bb0 125 API calls 90907->90910 90909 f31b84 84 API calls 90908->90909 90912 f46ef0 90910->90912 90914 f39940 171 API calls 90912->90914 90931->90907 90933 f69485 GetProcAddress 90932->90933 90936 f694c2 90932->90936 90934 f69497 GetCurrentProcess 90933->90934 90933->90936 90935 f694b1 90934->90935 90935->90936 91282 f3347e 90936->91282 90938 f694fc 90939 f3347e 28 API calls 90938->90939 91113->90550 91136 f68b75 91135->91136 91145 f686ab swprintf 91135->91145 91460 f68400 91 API calls 3 library calls 91136->91460 91138 f68b89 91156 f688f1 ctype 91138->91156 91140 fa8367 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 91141 f68b71 91140->91141 91141->90546 91142 fb1faa swprintf 54 API calls 91142->91145 91143 f6870d __cftof 91454 f51820 91143->91454 91145->91142 91145->91143 91149 f68895 91145->91149 91453 f39050 28 API calls 91145->91453 91147 fa8713 std::locale::_Locimp::_Makeushloc 27 API calls 91148 f68815 91147->91148 91150 f68834 91148->91150 91151 f93084 std::locale::_Init 57 API calls 91148->91151 91440 f34880 91149->91440 91152 f34300 5 API calls 91150->91152 91151->91150 91156->91140 91169 fa8713 std::locale::_Locimp::_Makeushloc 27 API calls 91168->91169 91170 f4ce81 91169->91170 91171 fa8713 std::locale::_Locimp::_Makeushloc 27 API calls 91170->91171 91172 f4cf42 91171->91172 91173 fa8713 std::locale::_Locimp::_Makeushloc 27 API calls 91172->91173 91174 f4cfa0 91173->91174 91283 f334b8 91282->91283 91285 f3348d codecvt 91282->91285 91283->91285 91383 f333ed 28 API calls 2 library calls 91283->91383 91285->90938 91383->91285 91441 f39bb0 125 API calls 91440->91441 91442 f348ad 91441->91442 91443 f39940 171 API calls 91442->91443 91444 f348ba 91443->91444 91445 f31b84 84 API calls 91444->91445 91446 f348d5 91445->91446 91447 f34190 5 API calls 91446->91447 91453->91145 91455 f51858 91454->91455 91456 f3be30 83 API calls 91455->91456 91457 f518c7 91456->91457 91457->91147 91460->91138 93573 fbe8ba 93572->93573 93574 fbe8a8 93572->93574 93584 fbe741 93573->93584 93600 fa9543 GetModuleHandleW 93574->93600 93577 fbe8ad 93577->93573 93601 fbe940 GetModuleHandleExW 93577->93601 93579 fa8c15 93579->90218 93585 fbe74d CallCatchBlock 93584->93585 93607 fbcd41 EnterCriticalSection 93585->93607 93587 fbe757 93608 fbe7ad 93587->93608 93589 fbe764 93612 fbe782 93589->93612 93592 fbe8fe 93617 fc7cf2 GetPEB 93592->93617 93595 fbe92d 93598 fbe940 __InternalCxxFrameHandler 3 API calls 93595->93598 93596 fbe90d GetPEB 93596->93595 93597 fbe91d GetCurrentProcess TerminateProcess 93596->93597 93597->93595 93599 fbe935 ExitProcess 93598->93599 93600->93577 93602 fbe95f GetProcAddress 93601->93602 93603 fbe982 93601->93603 93604 fbe974 93602->93604 93605 fbe988 FreeLibrary 93603->93605 93606 fbe8b9 93603->93606 93604->93603 93605->93606 93606->93573 93607->93587 93609 fbe7b9 CallCatchBlock 93608->93609 93610 fbe81a __InternalCxxFrameHandler 93609->93610 93615 fbf40b 14 API calls __InternalCxxFrameHandler 93609->93615 93610->93589 93616 fbcd91 LeaveCriticalSection 93612->93616 93614 fbe770 93614->93579 93614->93592 93615->93610 93616->93614 93618 fc7d0c 93617->93618 93619 fbe908 93617->93619 93621 fc42b4 5 API calls _unexpected 93618->93621 93619->93595 93619->93596 93621->93619 93622 f4928d 93661 f48fb0 CoCreateGuid 93622->93661 93624 f49293 93625 f49297 93624->93625 93626 f492e9 93624->93626 93627 f39bb0 125 API calls 93625->93627 93630 f49307 93626->93630 93636 f49366 93626->93636 93628 f4929c 93627->93628 93629 f39940 171 API calls 93628->93629 93631 f492ac 93629->93631 93632 f39bb0 125 API calls 93630->93632 93633 f31b84 84 API calls 93631->93633 93634 f4930c 93632->93634 93635 f492c8 93633->93635 93637 f39940 171 API calls 93634->93637 93700 f31be0 81 API calls 93635->93700 93639 f39bb0 125 API calls 93636->93639 93649 f492e0 std::ios_base::_Ios_base_dtor codecvt 93636->93649 93640 f4931c 93637->93640 93642 f4937e 93639->93642 93643 f31b84 84 API calls 93640->93643 93641 f492d8 93644 f3b8a0 170 API calls 93641->93644 93645 f39940 171 API calls 93642->93645 93646 f49338 93643->93646 93644->93649 93647 f4938e 93645->93647 93701 f31be0 81 API calls 93646->93701 93650 f31b84 84 API calls 93647->93650 93652 fa8367 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 93649->93652 93653 f493aa 93650->93653 93651 f49348 93654 f34190 5 API calls 93651->93654 93655 f4944c 93652->93655 93656 f39ab0 81 API calls 93653->93656 93657 f49358 93654->93657 93658 f493ba 93656->93658 93659 f3b8a0 170 API calls 93657->93659 93660 f3b8a0 170 API calls 93658->93660 93659->93649 93660->93649 93662 f49155 93661->93662 93663 f48fd6 StringFromCLSID 93661->93663 93664 fa8367 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 93662->93664 93663->93662 93665 f48fee 93663->93665 93666 f49163 93664->93666 93665->93662 93667 f48ffe 93665->93667 93666->93624 93668 f49020 codecvt ctype 93667->93668 93669 f49050 93667->93669 93670 f49169 93667->93670 93673 f49134 CoTaskMemFree 93668->93673 93675 f49173 Concurrency::cancel_current_task 93669->93675 93678 f490a6 93669->93678 93679 f490cd 93669->93679 93702 f334d0 21 API calls collate 93670->93702 93672 f4916e 93674 fad60f 25 API calls 93672->93674 93676 fa8367 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 93673->93676 93674->93675 93677 f49180 93675->93677 93680 f4914f 93676->93680 93681 f5d900 27 API calls 93677->93681 93678->93675 93682 fa8713 std::locale::_Locimp::_Makeushloc 27 API calls 93678->93682 93683 fa8713 std::locale::_Locimp::_Makeushloc 27 API calls 93679->93683 93685 f490b7 codecvt 93679->93685 93680->93624 93684 f491cd __cftof 93681->93684 93682->93685 93683->93685 93686 f39bb0 125 API calls 93684->93686 93685->93668 93685->93672 93687 f49213 93686->93687 93688 f39940 171 API calls 93687->93688 93689 f49223 93688->93689 93690 f31b84 84 API calls 93689->93690 93691 f4923f 93690->93691 93692 f39ab0 81 API calls 93691->93692 93693 f4924f 93692->93693 93694 f34190 5 API calls 93693->93694 93695 f4925f 93694->93695 93696 f3b8a0 170 API calls 93695->93696 93697 f49267 std::ios_base::_Ios_base_dtor 93696->93697 93698 fa8367 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 93697->93698 93699 f4944c 93698->93699 93699->93624 93700->93641 93701->93651 93703 f914c6 93704 f914d0 93703->93704 93705 f9293c ___delayLoadHelper2@8 16 API calls 93704->93705 93706 f914dd 93705->93706

                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                          Function 00F63AC0 Relevance: 66.7, APIs: 3, Strings: 34, Instructions: 1934COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • std::locale::_Init.LIBCPMT ref: 00F63CE8
                                                                                                                                                                                                                                            • Part of subcall function 00F93084: __EH_prolog3.LIBCMT ref: 00F9308B
                                                                                                                                                                                                                                            • Part of subcall function 00F93084: std::_Lockit::_Lockit.LIBCPMT ref: 00F93096
                                                                                                                                                                                                                                            • Part of subcall function 00F93084: std::locale::_Setgloballocale.LIBCPMT ref: 00F930B1
                                                                                                                                                                                                                                            • Part of subcall function 00F93084: std::_Lockit::~_Lockit.LIBCPMT ref: 00F93107
                                                                                                                                                                                                                                          • std::locale::_Init.LIBCPMT ref: 00F64934
                                                                                                                                                                                                                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F64CD5
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: std::locale::_$InitLockitstd::_$H_prolog3Ios_base_dtorLockit::_Lockit::~_Setgloballocalestd::ios_base::_
                                                                                                                                                                                                                                          • String ID: 2$Command "%s" failed$Couldn't find the ReturnCode attribute of EXIT command$EXIT$EXIT_UPDATE$EXIT_XML$Exit update command triggered. Exiting...$Malformed XML, no UPDATEARRAY element$NWebAdvisor::NXmlUpdater::CUpdater::Process$NWebAdvisor::NXmlUpdater::Hound::End$NWebAdvisor::NXmlUpdater::Hound::ExitResult$NWebAdvisor::NXmlUpdater::Hound::Start$PRECONDITION$PRECONDITIONARRAY$Precondition "%s" evaluated to false$Precondition "%s" evaluated to true$ReturnCode$TAG$UPDATE$UPDATEARRAY$UPDATECOMMANDS$Unable to convert ReturnCode into int$Unable to substitute the return code$XML precondition array returned false due to sniffer actions$XML precondition array returned true due to sniffer actions$XML precondition array with tag %s returned false$XML precondition array with tag %s returned false due to sniffer actions$XML precondition array with tag %s returned true due to sniffer actions$XML precondition failed - no Type specified$c:\jenkins\workspace\mer_WebAdvisor_XMLUpdater_master\src\XmlUpdater\Hound.h$c:\jenkins\workspace\mer_WebAdvisor_XMLUpdater_master\src\XmlUpdater\xmlUpdater.cpp$false$true$unknown
                                                                                                                                                                                                                                          • API String ID: 3544396713-2181764886
                                                                                                                                                                                                                                          • Opcode ID: 0ddfbb8f50e0fd5d1eba4d253d1e10007db4cbc7afcd2103c35ec6278ccbbb8f
                                                                                                                                                                                                                                          • Instruction ID: 93d7f0724ae3f6a0fe9b057c16683ed59c2d21842cf9254fa4e62909c909626f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0ddfbb8f50e0fd5d1eba4d253d1e10007db4cbc7afcd2103c35ec6278ccbbb8f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 73138971D002289BDF20DF64CC99BEDBBB4AF08314F1442D9E909A7291DB75AE84DF91
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F4F110 Relevance: 66.5, APIs: 21, Strings: 16, Instructions: 1782COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F4F268
                                                                                                                                                                                                                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F4F307
                                                                                                                                                                                                                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F4F37E
                                                                                                                                                                                                                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F4F8B0
                                                                                                                                                                                                                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F4FBBD
                                                                                                                                                                                                                                            • Part of subcall function 00F39BB0: InitOnceBeginInitialize.KERNEL32(010280C4,00000000,4638DA1B,00000000,4638DA1B,00F3A219,010280CC,?,?,?,?,?,?,00F3A219,?,?), ref: 00F39BE5
                                                                                                                                                                                                                                            • Part of subcall function 00F39BB0: InitOnceComplete.KERNEL32(010280C4,00000000,00000000), ref: 00F39C1D
                                                                                                                                                                                                                                            • Part of subcall function 00F39940: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F39A12
                                                                                                                                                                                                                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F4FDB6
                                                                                                                                                                                                                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F500BA
                                                                                                                                                                                                                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F5015F
                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,00000001,?,?,00000004), ref: 00F505D7
                                                                                                                                                                                                                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F50614
                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,00000001,?,?,00000004), ref: 00F5086A
                                                                                                                                                                                                                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F508A7
                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,00000001,0000018F,00000000,X-Api-Key: ,0000000B,00000000,00000000,?,?,00000004), ref: 00F50A90
                                                                                                                                                                                                                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F50ACD
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • HTTP add request header failed for AWS x_api_key: , xrefs: 00F50A80
                                                                                                                                                                                                                                          • AWS Response Code received , xrefs: 00F50079
                                                                                                                                                                                                                                          • HTTP receive response failed for AWS: , xrefs: 00F505C7
                                                                                                                                                                                                                                          • 0Ywx4MUvRidmWf74nsIlBPIxJYIG9Nf0lSnge8SvgvY3RVy4E6gFLp3VDBcDO830QhXvfpgCb55sRtnVqKb2zUO3Vq7ko1b, xrefs: 00F4F5B7, 00F4F656
                                                                                                                                                                                                                                          • Querying AdhocTelemetryAWS value failed: , xrefs: 00F4F217
                                                                                                                                                                                                                                          • HTTP send request failed for AWS: , xrefs: 00F5085A
                                                                                                                                                                                                                                          • HTTP connection failed for AWS: , xrefs: 00F50EBA
                                                                                                                                                                                                                                          • X-Api-Key: , xrefs: 00F4FF28
                                                                                                                                                                                                                                          • SOFTWARE\McAfee\WebAdvisor, xrefs: 00F4F181
                                                                                                                                                                                                                                          • AdhocTelemetryAWS, xrefs: 00F4F1B6
                                                                                                                                                                                                                                          • Failed to convert the x_api_key string to wide, xrefs: 00F4FD8F
                                                                                                                                                                                                                                          • NO_REGVALUE, xrefs: 00F4F54F
                                                                                                                                                                                                                                          • HTTP status error for AWS: , xrefs: 00F5011E
                                                                                                                                                                                                                                          • Failed to initialize buffer for AWS, xrefs: 00F4F889
                                                                                                                                                                                                                                          • AWS Adhoc Telemetry Payload = , xrefs: 00F4FB62
                                                                                                                                                                                                                                          • HTTP open request failed for AWS: , xrefs: 00F50DB8
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Ios_base_dtorstd::ios_base::_$ErrorLast$InitOnce$BeginCompleteInitialize
                                                                                                                                                                                                                                          • String ID: 0Ywx4MUvRidmWf74nsIlBPIxJYIG9Nf0lSnge8SvgvY3RVy4E6gFLp3VDBcDO830QhXvfpgCb55sRtnVqKb2zUO3Vq7ko1b$AWS Adhoc Telemetry Payload = $AWS Response Code received $AdhocTelemetryAWS$Failed to convert the x_api_key string to wide$Failed to initialize buffer for AWS$HTTP add request header failed for AWS x_api_key: $HTTP connection failed for AWS: $HTTP open request failed for AWS: $HTTP receive response failed for AWS: $HTTP send request failed for AWS: $HTTP status error for AWS: $NO_REGVALUE$Querying AdhocTelemetryAWS value failed: $SOFTWARE\McAfee\WebAdvisor$X-Api-Key:
                                                                                                                                                                                                                                          • API String ID: 1658547907-2938340177
                                                                                                                                                                                                                                          • Opcode ID: d4ad293ccf3a62ac017c36a0661fd3a3eaf21e14f44d89c32771a99e3f72fdd4
                                                                                                                                                                                                                                          • Instruction ID: 9f2ba1f0297d365b5b06f5ce5ecdee5949af0f1600382a0ffd706c95d0807192
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d4ad293ccf3a62ac017c36a0661fd3a3eaf21e14f44d89c32771a99e3f72fdd4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BCF2CC709002689BEF24DF24CC89BDDBBB5AF45315F0042D8E94DA7292DB799AC8DF50
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F45870 Relevance: 60.3, APIs: 22, Strings: 12, Instructions: 780encryptionfilethreadCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 1938 f45870-f458d0 GetCurrentProcessId GetCurrentThreadId call fb594f 1941 f458d6-f45943 CreateFileW 1938->1941 1942 f46170-f46185 call f3c900 1938->1942 1943 f45945-f45965 CreateFileW 1941->1943 1944 f4596f-f45973 1941->1944 1950 f461a5-f461ab 1942->1950 1951 f46187-f46189 1942->1951 1943->1944 1946 f45967-f4596d 1943->1946 1948 f45975 1944->1948 1949 f4597a-f4599c CreateFileW 1944->1949 1946->1948 1948->1949 1952 f45a05-f45a49 call faa920 UuidCreate 1949->1952 1953 f4599e-f459c0 CreateFileW 1949->1953 1955 f461ad-f461ba 1950->1955 1956 f461be-f461c4 1950->1956 1951->1950 1957 f4618b-f4618e 1951->1957 1964 f45a4f-f45a5f UuidCreate 1952->1964 1965 f4620b-f4621b call f3c900 1952->1965 1953->1952 1958 f459c2-f459e4 CreateFileW 1953->1958 1955->1956 1961 f461c6-f461d3 1956->1961 1962 f461d7-f461dd 1956->1962 1957->1950 1963 f46190-f46194 1957->1963 1958->1952 1959 f459e6-f45a03 CreateFileW 1958->1959 1959->1952 1961->1962 1967 f461f0-f46206 call fa8367 1962->1967 1968 f461df-f461ec 1962->1968 1963->1950 1969 f46196-f4619a 1963->1969 1964->1965 1971 f45a65-f45a87 call f45790 1964->1971 1965->1957 1968->1967 1969->1950 1974 f4619c-f461a3 call f469a0 1969->1974 1982 f45a89 1971->1982 1983 f45aea-f45af2 1971->1983 1974->1950 1985 f45a90-f45a96 1982->1985 1983->1965 1984 f45af8-f45b30 1983->1984 2002 f45b36-f45b3e 1984->2002 2003 f46207 1984->2003 1986 f45a9f-f45aa5 1985->1986 1987 f45a98-f45a9d 1985->1987 1990 f45aa7-f45aac 1986->1990 1991 f45aae-f45ab4 1986->1991 1989 f45ad9-f45ae1 call f45790 1987->1989 1997 f45ae6-f45ae8 1989->1997 1990->1989 1993 f45ab6-f45abb 1991->1993 1994 f45abd-f45ac3 1991->1994 1993->1989 1995 f45ac5-f45aca 1994->1995 1996 f45acc-f45ad2 1994->1996 1995->1989 1996->1983 1999 f45ad4 1996->1999 1997->1983 1997->1985 1999->1989 2002->2003 2004 f45b44-f45b5c 2002->2004 2003->1965 2004->2003 2007 f45b62-f45b66 2004->2007 2007->2003 2008 f45b6c-f45c01 call f44cc0 2007->2008 2008->2003 2021 f45c07-f45c4a 2008->2021 2026 f45c50-f45c54 2021->2026 2027 f4616c 2021->2027 2026->2027 2028 f45c5a-f45c74 2026->2028 2027->1942 2028->2027 2031 f45c7a-f45c7e 2028->2031 2031->2027 2032 f45c84-f45cd4 call f44cc0 2031->2032 2039 f45cd7-f45ce0 2032->2039 2039->2039 2040 f45ce2-f45d16 CryptAcquireContextW 2039->2040 2041 f45d65-f45d6b 2040->2041 2042 f45d18-f45d32 CryptCreateHash 2040->2042 2044 f45d74-f45d7a 2041->2044 2045 f45d6d-f45d6e CryptDestroyHash 2041->2045 2042->2041 2043 f45d34-f45d4b CryptHashData 2042->2043 2043->2041 2048 f45d4d-f45d5f CryptGetHashParam 2043->2048 2046 f45d85-f45ef5 2044->2046 2047 f45d7c-f45d7f CryptReleaseContext 2044->2047 2045->2044 2046->2027 2077 f45efb-f45f4e call f44cc0 2046->2077 2047->2046 2048->2041 2084 f45f50-f45f59 2077->2084 2084->2084 2085 f45f5b-f45f8f CryptAcquireContextW 2084->2085 2086 f45f91-f45fab CryptCreateHash 2085->2086 2087 f45fde-f45fe4 2085->2087 2086->2087 2088 f45fad-f45fc4 CryptHashData 2086->2088 2089 f45fe6-f45fe7 CryptDestroyHash 2087->2089 2090 f45fed-f45ff3 2087->2090 2088->2087 2091 f45fc6-f45fd8 CryptGetHashParam 2088->2091 2089->2090 2092 f45ff5-f45ff8 CryptReleaseContext 2090->2092 2093 f45ffe-f46166 2090->2093 2091->2087 2092->2093 2093->2027
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetCurrentProcessId.KERNEL32 ref: 00F458AA
                                                                                                                                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 00F458B4
                                                                                                                                                                                                                                          • CreateFileW.KERNEL32(\\.\WGUARDNT,C0000000,00000000,00000000,00000003,40000000,00000000), ref: 00F4593A
                                                                                                                                                                                                                                          • CreateFileW.KERNEL32(\\.\Global\WGUARDNT,C0000000,00000000,00000000,00000003,40000000,00000000), ref: 00F4595C
                                                                                                                                                                                                                                          • CreateFileW.KERNEL32(\\.\WGUARDNT,80000000,00000000,00000000,00000003,40000000,00000000), ref: 00F45991
                                                                                                                                                                                                                                          • CreateFileW.KERNEL32(\\.\Global\WGUARDNT,80000000,00000000,00000000,00000003,40000000,00000000), ref: 00F459B5
                                                                                                                                                                                                                                          • CreateFileW.KERNEL32(\\.\WGUARDNT,C0000000,00000000,00000000,00000003,40000000,00000000), ref: 00F459D9
                                                                                                                                                                                                                                          • CreateFileW.KERNEL32(\\.\Global\WGUARDNT,C0000000,00000000,00000000,00000003,40000000,00000000), ref: 00F459FD
                                                                                                                                                                                                                                          • UuidCreate.RPCRT4(00000000), ref: 00F45A41
                                                                                                                                                                                                                                          • UuidCreate.RPCRT4(00000000), ref: 00F45A57
                                                                                                                                                                                                                                          • CryptAcquireContextW.ADVAPI32(?), ref: 00F45D0E
                                                                                                                                                                                                                                          • CryptCreateHash.ADVAPI32(00000010,00008003,00000000,00000000,?), ref: 00F45D2A
                                                                                                                                                                                                                                          • CryptHashData.ADVAPI32(?,?,00000000,00000000), ref: 00F45D43
                                                                                                                                                                                                                                          • CryptGetHashParam.ADVAPI32(00000000,00000002,?,?,00000000), ref: 00F45D5F
                                                                                                                                                                                                                                          • CryptDestroyHash.ADVAPI32(?), ref: 00F45D6E
                                                                                                                                                                                                                                          • CryptReleaseContext.ADVAPI32(?,00000000), ref: 00F45D7F
                                                                                                                                                                                                                                          • CryptAcquireContextW.ADVAPI32(?), ref: 00F45F87
                                                                                                                                                                                                                                          • CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,?), ref: 00F45FA3
                                                                                                                                                                                                                                          • CryptHashData.ADVAPI32(?,?,00000000,00000000), ref: 00F45FBC
                                                                                                                                                                                                                                          • CryptGetHashParam.ADVAPI32(00000000,00000002,?,?,00000000), ref: 00F45FD8
                                                                                                                                                                                                                                          • CryptDestroyHash.ADVAPI32(?), ref: 00F45FE7
                                                                                                                                                                                                                                          • CryptReleaseContext.ADVAPI32(?,00000000), ref: 00F45FF8
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Crypt$Create$Hash$File$Context$AcquireCurrentDataDestroyParamReleaseUuid$ProcessThread
                                                                                                                                                                                                                                          • String ID: AacControl$AacControl2$AacControl3$AacControl4$AacControl5$AacControl6$Created access handle %p$\\.\Global\WGUARDNT$\\.\WGUARDNT$accesslib policy %x:%x$al delete policy on terminate process 0x%x (%d) rule$al disable rules on terminate thread 0x%x (%d) rule
                                                                                                                                                                                                                                          • API String ID: 4128897270-3926088020
                                                                                                                                                                                                                                          • Opcode ID: da4111143bb7dad75b0205143a44d6d889c31c3f9ef5dd526985bf722fbd187a
                                                                                                                                                                                                                                          • Instruction ID: ebe9b5826ae32f3e09bcce90f165a983ce08319db302b53921c389527a7119a4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: da4111143bb7dad75b0205143a44d6d889c31c3f9ef5dd526985bf722fbd187a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 345248756043149FEB119F24DC84B2EBBE5BF88B20F150549FA5AAB391CB74ED019F82
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F81840 Relevance: 56.8, APIs: 5, Strings: 27, Instructions: 754registryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • RegCreateKeyExW.KERNEL32(80000002,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,-00000028,?,?,-00000028,00000000,?), ref: 00F81932
                                                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,-00000028,?), ref: 00F81DAD
                                                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(00000000,?,?,?,-00000028,?,?,-00000028,00000000,?), ref: 00F81DD3
                                                                                                                                                                                                                                          • std::locale::_Init.LIBCPMT ref: 00F820C4
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Close$CreateInitstd::locale::_
                                                                                                                                                                                                                                          • String ID: to $(Default)$BIN$DWORD$Error (%d) creating registry key: %s$Error (%d) setting value (%s) under registry key: %s$Key$NUM$NWebAdvisor::NXmlUpdater::CSetVariableCommand::Execute$NWebAdvisor::NXmlUpdater::SetRegistryKey$QWORD$STR$Setting variable $Unable to convert %s to hex$Unable to read key or value attribute of SETVAR command$Unable to set the variable$Unable to substitute variables for the SETVAR command$Unknown registry key type: %s$Value$c:\jenkins\workspace\mer_WebAdvisor_XMLUpdater_master\src\XmlUpdater\RegistryCommand.cpp$c:\jenkins\workspace\mer_WebAdvisor_XMLUpdater_master\src\XmlUpdater\SetVariableCommand.cpp$invalid stoul argument$invalid stoull argument$invalid substitutor$memcpy_s failed in NWebAdvisor::NXmlUpdater::SetRegistryKey$stoul argument out of range$stoull argument out of range
                                                                                                                                                                                                                                          • API String ID: 3662814871-412574832
                                                                                                                                                                                                                                          • Opcode ID: 6e1d181a35a79c4d281d67fb1afc42c0aa8ed32d8a0f9e5b56c52fa0a4ebdea8
                                                                                                                                                                                                                                          • Instruction ID: 4b7762d4222e2f2338a95c5d62b64b18270ce10f6f219d4c9bdf40e7061c36a3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6e1d181a35a79c4d281d67fb1afc42c0aa8ed32d8a0f9e5b56c52fa0a4ebdea8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9552D3B1E003089FEB20EF54CC45BEEB7B9BF05714F140299E90967281D775AA45EFA2
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F7FFE0 Relevance: 31.9, APIs: 9, Strings: 9, Instructions: 368COMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 2779 f7ffe0-f8002d 2780 f8002f-f8004c call f68650 2779->2780 2781 f80051-f80055 2779->2781 2794 f80557-f80571 call fa8367 2780->2794 2782 f800ae-f8010d 2781->2782 2783 f80057-f8005d 2781->2783 2787 f8010f-f8011b 2782->2787 2788 f80122-f80135 2782->2788 2785 f8005f 2783->2785 2786 f80061-f8006a 2783->2786 2785->2786 2790 f8006c-f80073 call f921d0 2786->2790 2791 f80077-f8007c call f7eb20 2786->2791 2787->2788 2792 f8013b-f80145 2788->2792 2793 f80574-f80579 call f334d0 2788->2793 2802 f80075 2790->2802 2808 f8007f-f80081 2791->2808 2795 f8014f-f80187 2792->2795 2796 f80147-f80149 2792->2796 2800 f80189-f80194 2795->2800 2801 f801d3-f80283 call faa3a0 call f3e9c0 2795->2801 2796->2795 2806 f8019d-f801a4 2800->2806 2807 f80196-f8019b 2800->2807 2820 f80285 2801->2820 2821 f80287-f80318 call f3e9c0 call f338d0 * 2 call faa920 2801->2821 2802->2808 2810 f801a7-f801cd call f333c3 2806->2810 2807->2810 2808->2782 2811 f80083-f80087 2808->2811 2810->2801 2814 f80089 2811->2814 2815 f8008b-f800a9 call f68650 2811->2815 2814->2815 2815->2794 2820->2821 2831 f80320-f80328 2821->2831 2832 f8032a-f80331 2831->2832 2833 f8033e-f80355 2831->2833 2832->2833 2834 f80333-f8033c 2832->2834 2835 f80359-f80383 GetFileAttributesW 2833->2835 2836 f80357 2833->2836 2834->2831 2834->2833 2837 f803ba-f803ca WaitForSingleObject 2835->2837 2838 f80385-f803b5 GetLastError call f68650 2835->2838 2836->2835 2840 f803cc-f803d0 2837->2840 2841 f803de-f803fd GetExitCodeProcess 2837->2841 2847 f80526-f8053f call f338d0 2838->2847 2843 f803d2 2840->2843 2844 f803d4-f803dc 2840->2844 2845 f803ff-f8040b GetLastError 2841->2845 2846 f80430-f80434 2841->2846 2843->2844 2848 f80410-f8042b call f68650 2844->2848 2845->2848 2849 f8046e-f80477 2846->2849 2850 f80436-f8043a 2846->2850 2861 f80541-f80542 CloseHandle 2847->2861 2862 f80544-f8054c 2847->2862 2848->2847 2852 f80480-f8049e 2849->2852 2854 f8043c 2850->2854 2855 f8043e-f80447 DeleteFileW 2850->2855 2852->2852 2858 f804a0-f804c4 2852->2858 2854->2855 2855->2849 2856 f80449-f8046b GetLastError call f68650 2855->2856 2856->2849 2863 f804c6-f804d2 call f3347e 2858->2863 2864 f804d7-f8051f call f314a1 call f6a350 call f338d0 * 2 2858->2864 2861->2862 2867 f8054e-f8054f CloseHandle 2862->2867 2868 f80551 2862->2868 2863->2864 2864->2847 2867->2868 2868->2794
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: D$Failed to delete executable (%d)$Failed to get process exit code (%d)$NWebAdvisor::NXmlUpdater::CExecuteLocalCommand::ExecuteLocalCommand$Signature check failed for command %s$Unable to run %s, error (%d)$Wait for process failed for command %s$c:\jenkins\workspace\mer_WebAdvisor_XMLUpdater_master\src\XmlUpdater\ExecuteLocalCommand.cpp$invalid substitutor
                                                                                                                                                                                                                                          • API String ID: 0-284121414
                                                                                                                                                                                                                                          • Opcode ID: 98e9e15e66b749406bfe79182100818081f9c08098ee32e141eaacb947895ff6
                                                                                                                                                                                                                                          • Instruction ID: ce2f61dc62cdbbce81caea224691e720271f350add54e128c69f7971ec78752a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 98e9e15e66b749406bfe79182100818081f9c08098ee32e141eaacb947895ff6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A5E1CC71E013599BDB24EF24CC49BEDB7B4AF15304F4042DAE409A7291EBB49A88DF52
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F45110 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 452registryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 2878 f45110-f45175 2879 f45762 2878->2879 2880 f4517b-f45180 2878->2880 2881 f45767-f45784 call fa8367 2879->2881 2880->2879 2882 f45186-f4518b 2880->2882 2882->2879 2884 f45191-f451c2 call fb594f 2882->2884 2888 f451c4-f451c7 2884->2888 2889 f451cc-f451e1 call faa920 2884->2889 2888->2881 2892 f451e7-f451f3 2889->2892 2893 f45313-f45326 2889->2893 2892->2893 2894 f451f9-f451fe 2892->2894 2895 f45384 2893->2895 2896 f45328-f4532d 2893->2896 2894->2893 2898 f45204-f4523e RegOpenKeyExW 2894->2898 2897 f4538b-f453dc 2895->2897 2899 f45336-f45351 2896->2899 2900 f4532f-f45334 2896->2900 2901 f453fd-f45401 2897->2901 2902 f453de-f453eb OutputDebugStringW call f44f50 2897->2902 2903 f45244-f45273 RegQueryValueExW 2898->2903 2904 f452e2-f45311 call fae960 GetLastError 2898->2904 2905 f45357-f4535c 2899->2905 2900->2895 2907 f45403-f45449 call faa920 * 2 call f46ae0 2901->2907 2908 f4547e-f45481 2901->2908 2914 f453f0-f453f8 2902->2914 2910 f45275-f4527d 2903->2910 2911 f452ca-f452dc RegCloseKey 2903->2911 2904->2897 2912 f45372-f45381 2905->2912 2913 f4535e-f45365 2905->2913 2907->2908 2958 f4544b-f45471 2907->2958 2919 f45483-f45489 2908->2919 2920 f4548f-f45496 2908->2920 2910->2911 2917 f4527f-f45292 call f44c10 2910->2917 2911->2897 2911->2904 2912->2895 2913->2912 2918 f45367-f45370 2913->2918 2914->2908 2935 f452b4-f452c8 SetLastError RegCloseKey 2917->2935 2936 f45294-f4529c 2917->2936 2918->2905 2918->2912 2919->2920 2921 f455d1-f455d7 2919->2921 2920->2921 2922 f4549c-f454b8 OutputDebugStringW call f44e60 2920->2922 2925 f455f3 2921->2925 2926 f455d9 2921->2926 2940 f454be-f454d8 call f44e60 2922->2940 2941 f455cb 2922->2941 2933 f455f5 2925->2933 2930 f45703-f4570a 2926->2930 2931 f455df-f455e5 2926->2931 2937 f4570c-f4571b LoadLibraryExW 2930->2937 2938 f45739 2930->2938 2931->2930 2939 f455eb-f455f1 2931->2939 2933->2930 2942 f455fb-f45606 2933->2942 2935->2904 2936->2911 2944 f4529e-f452b2 call f44c10 2936->2944 2946 f4571d-f45737 GetLastError call fae960 2937->2946 2947 f4573e-f45743 2937->2947 2938->2947 2939->2933 2960 f454f2-f45516 call fb594f 2940->2960 2961 f454da-f454e0 2940->2961 2941->2921 2949 f45610-f4561c call f44dc0 2942->2949 2950 f45608-f4560a 2942->2950 2944->2911 2944->2935 2946->2947 2955 f45745-f4574b call fa874c 2947->2955 2956 f4574e-f45753 2947->2956 2969 f45622-f4562a 2949->2969 2970 f456ea-f456ef 2949->2970 2950->2949 2955->2956 2964 f45755-f4575b call fa874c 2956->2964 2965 f4575e-f45760 2956->2965 2958->2908 2967 f45518-f4551f 2960->2967 2966 f454e2-f454eb call fae960 2961->2966 2961->2967 2964->2965 2965->2881 2966->2960 2967->2942 2978 f45525-f4554b call f44e60 call f44cc0 2967->2978 2969->2970 2974 f45630 2969->2974 2970->2947 2975 f456f1-f45701 call fae960 2970->2975 2981 f45635-f45639 2974->2981 2975->2947 2992 f455c4-f455c9 2978->2992 2993 f4554d-f4557f call faa920 * 2 call f46ae0 2978->2993 2984 f45643-f4565a 2981->2984 2985 f4563b-f45641 2981->2985 2984->2970 2987 f45660-f456a2 call f44dc0 call fb594f 2984->2987 2985->2981 2985->2984 2987->2970 2998 f456a4-f456e2 call f44dc0 call f44cc0 OutputDebugStringW call fae960 2987->2998 2992->2942 3005 f45584-f4558d 2993->3005 3009 f456e7 2998->3009 3005->2921 3007 f4558f-f455c2 3005->3007 3007->2921 3009->2970
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • RegOpenKeyExW.KERNEL32(80000002,Software\McAfee\SystemCore,00000000,00020219,?), ref: 00F45225
                                                                                                                                                                                                                                          • RegQueryValueExW.ADVAPI32(?,szInstallDir32,00000000,?,?,?), ref: 00F45265
                                                                                                                                                                                                                                          • SetLastError.KERNEL32(0000006F,?,?,0100A17C), ref: 00F452B6
                                                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 00F452C2
                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00F452F6
                                                                                                                                                                                                                                          • OutputDebugStringW.KERNEL32(NCPrivateLoadAndValidateMPTDll: Looking in current directory), ref: 00F453E3
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • %ls\%ls, xrefs: 00F45533
                                                                                                                                                                                                                                          • Software\McAfee\SystemCore, xrefs: 00F4521B
                                                                                                                                                                                                                                          • NCPrivateLoadAndValidateMPTDll: Looking in current directory, xrefs: 00F453DE
                                                                                                                                                                                                                                          • NotComDllGetInterface: %ls loading %ls, WinVerifyTrust failed with %08x, xrefs: 00F456B7
                                                                                                                                                                                                                                          • szInstallDir32, xrefs: 00F4525F
                                                                                                                                                                                                                                          • NCPrivateLoadAndValidateMPTDll: Looking in EXE directory, xrefs: 00F4549C
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ErrorLast$CloseDebugOpenOutputQueryStringValue
                                                                                                                                                                                                                                          • String ID: %ls\%ls$NCPrivateLoadAndValidateMPTDll: Looking in EXE directory$NCPrivateLoadAndValidateMPTDll: Looking in current directory$NotComDllGetInterface: %ls loading %ls, WinVerifyTrust failed with %08x$Software\McAfee\SystemCore$szInstallDir32
                                                                                                                                                                                                                                          • API String ID: 1760606849-3767168787
                                                                                                                                                                                                                                          • Opcode ID: d50267d9511904f59d279dcd59e51358ef64468118de7ff0bf0a00455e476074
                                                                                                                                                                                                                                          • Instruction ID: d79deddac41901ac56eb35e9ba2d0e2665d873371736a15aad1709f009b68726
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d50267d9511904f59d279dcd59e51358ef64468118de7ff0bf0a00455e476074
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2F02B471E006199FEF20EF64CC45BAEBBB5BF04714F0441A9E909AB282DB749E44DF91
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F917A0 Relevance: 27.4, APIs: 18, Instructions: 353encryptionCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 3185 f917a0-f917e9 3186 f917eb-f9181d CryptQueryObject 3185->3186 3187 f9184f 3185->3187 3188 f9186d-f918ae call f914f0 3186->3188 3189 f9181f-f91824 3186->3189 3190 f91851-f9186c call fa8367 3187->3190 3199 f918b0-f918bd call f7e680 3188->3199 3200 f918e4-f918ea 3188->3200 3192 f9182d-f91832 3189->3192 3193 f91826-f91827 CryptMsgClose 3189->3193 3196 f91842-f91848 3192->3196 3197 f91834-f9183f CertCloseStore 3192->3197 3193->3192 3196->3187 3201 f9184a-f9184b 3196->3201 3197->3196 3207 f918bf-f918c0 CryptMsgClose 3199->3207 3208 f918c6-f918cb 3199->3208 3203 f918f0-f918f6 3200->3203 3201->3187 3205 f918fc-f91944 3203->3205 3206 f91b40-f91b4d call f7e680 3203->3206 3210 f9198e-f919d5 CryptQueryObject 3205->3210 3211 f91946-f91951 3205->3211 3224 f91b4f-f91b50 CryptMsgClose 3206->3224 3225 f91b52-f91b57 3206->3225 3207->3208 3214 f918db-f918df 3208->3214 3215 f918cd-f918d8 CertCloseStore 3208->3215 3212 f91a39-f91a5c call f914f0 3210->3212 3213 f919d7-f919dc 3210->3213 3217 f91969-f9198b call fa8375 3211->3217 3218 f91953-f91961 3211->3218 3238 f91ac8-f91aca 3212->3238 3239 f91a5e-f91a60 3212->3239 3220 f919de-f919df CryptMsgClose 3213->3220 3221 f919e1-f919ec 3213->3221 3223 f91ab8-f91aba 3214->3223 3215->3214 3217->3210 3226 f91b7c-f91b81 call fad60f 3218->3226 3227 f91967 3218->3227 3220->3221 3230 f919f8-f919fe 3221->3230 3231 f919ee-f919f5 CertCloseStore 3221->3231 3233 f91abc-f91abd 3223->3233 3234 f91ac1-f91ac3 3223->3234 3224->3225 3235 f91b59-f91b64 CertCloseStore 3225->3235 3236 f91b67 3225->3236 3227->3217 3240 f91a00-f91a01 3230->3240 3241 f91a05-f91a1a call f7e630 call f7e680 3230->3241 3231->3230 3233->3234 3234->3190 3235->3236 3236->3226 3245 f91acc-f91acd CryptMsgClose 3238->3245 3246 f91acf-f91ad4 3238->3246 3242 f91a62-f91a63 CryptMsgClose 3239->3242 3243 f91a65-f91a70 3239->3243 3240->3241 3263 f91a1c-f91a1d CryptMsgClose 3241->3263 3264 f91a1f-f91a24 3241->3264 3242->3243 3247 f91a7c-f91a82 3243->3247 3248 f91a72-f91a79 CertCloseStore 3243->3248 3245->3246 3250 f91ae4-f91aea 3246->3250 3251 f91ad6-f91ae1 CertCloseStore 3246->3251 3254 f91a89-f91a9e call f7e630 call f7e680 3247->3254 3255 f91a84-f91a85 3247->3255 3248->3247 3252 f91aec-f91aed 3250->3252 3253 f91af1-f91af7 3250->3253 3251->3250 3252->3253 3253->3203 3257 f91afd-f91b08 3253->3257 3272 f91aa0-f91aa1 CryptMsgClose 3254->3272 3273 f91aa3-f91aa8 3254->3273 3255->3254 3261 f91b0a-f91b18 3257->3261 3262 f91b1c-f91b3b call fa8375 3257->3262 3261->3226 3268 f91b1a 3261->3268 3262->3203 3263->3264 3266 f91a30 3264->3266 3267 f91a26-f91a2d CertCloseStore 3264->3267 3266->3212 3267->3266 3268->3262 3272->3273 3274 f91aaa-f91ab1 CertCloseStore 3273->3274 3275 f91ab4 3273->3275 3274->3275 3275->3223
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • CryptQueryObject.CRYPT32(00000001,00F92520,00000400,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00F91815
                                                                                                                                                                                                                                          • CryptMsgClose.CRYPT32(00000000), ref: 00F91827
                                                                                                                                                                                                                                            • Part of subcall function 00F914F0: CryptMsgGetParam.CRYPT32(?,00000005,00000000,?,?), ref: 00F91581
                                                                                                                                                                                                                                            • Part of subcall function 00F914F0: CryptMsgGetParam.CRYPT32(?,00000006,00000000,00000000,?), ref: 00F915B2
                                                                                                                                                                                                                                            • Part of subcall function 00F914F0: CryptMsgGetParam.CRYPT32(?,00000006,?,00000000,?), ref: 00F915DD
                                                                                                                                                                                                                                            • Part of subcall function 00F914F0: CertGetSubjectCertificateFromStore.CRYPT32(?,00010001,?), ref: 00F91625
                                                                                                                                                                                                                                          • CertCloseStore.CRYPT32(00000000,00000001), ref: 00F91837
                                                                                                                                                                                                                                          • CryptMsgClose.CRYPT32(00000000), ref: 00F918C0
                                                                                                                                                                                                                                          • CertCloseStore.CRYPT32(00000000,00000001), ref: 00F918D0
                                                                                                                                                                                                                                          • CryptQueryObject.CRYPT32(00000002,?,00003FFE,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00F919CD
                                                                                                                                                                                                                                          • CryptMsgClose.CRYPT32(00000000), ref: 00F919DF
                                                                                                                                                                                                                                          • CertCloseStore.CRYPT32(00000000,00000001), ref: 00F919F1
                                                                                                                                                                                                                                          • CryptMsgClose.CRYPT32(00000000), ref: 00F91A1D
                                                                                                                                                                                                                                          • CertCloseStore.CRYPT32(00000000,00000001), ref: 00F91A29
                                                                                                                                                                                                                                          • CryptMsgClose.CRYPT32(00000000), ref: 00F91A63
                                                                                                                                                                                                                                          • CertCloseStore.CRYPT32(00000000,00000001), ref: 00F91A75
                                                                                                                                                                                                                                          • CryptMsgClose.CRYPT32(00000000), ref: 00F91AA1
                                                                                                                                                                                                                                          • CertCloseStore.CRYPT32(00000000,00000001), ref: 00F91AAD
                                                                                                                                                                                                                                          • CryptMsgClose.CRYPT32(00000000), ref: 00F91ACD
                                                                                                                                                                                                                                          • CertCloseStore.CRYPT32(00000000,00000001), ref: 00F91AD9
                                                                                                                                                                                                                                          • CryptMsgClose.CRYPT32(00000000), ref: 00F91B50
                                                                                                                                                                                                                                          • CertCloseStore.CRYPT32(00000000,00000001), ref: 00F91B5C
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Close$Crypt$CertStore$Param$ObjectQuery$CertificateFromSubject
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2648890560-0
                                                                                                                                                                                                                                          • Opcode ID: 684538ca19c1e23f87ea1277d850ec905cc6e576081904fbf14f615a7a7342f0
                                                                                                                                                                                                                                          • Instruction ID: 91856e9e7d28da70bbdbcba1f4b4a1bb5a5dff5f6b1e0f2a849507e5862112ac
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 684538ca19c1e23f87ea1277d850ec905cc6e576081904fbf14f615a7a7342f0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C4C11B71E1020AAAEF10DFA9CD85BAEBBF8BF48714F144569E504F7280DB799904DB60
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F470D9 Relevance: 27.2, APIs: 4, Strings: 11, Instructions: 977COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00F54B40: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F5521E
                                                                                                                                                                                                                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F47D3D
                                                                                                                                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 00F47DFC
                                                                                                                                                                                                                                          • __Mtx_unlock.LIBCPMT ref: 00F47DC8
                                                                                                                                                                                                                                            • Part of subcall function 00F39BB0: InitOnceBeginInitialize.KERNEL32(010280C4,00000000,4638DA1B,00000000,4638DA1B,00F3A219,010280CC,?,?,?,?,?,?,00F3A219,?,?), ref: 00F39BE5
                                                                                                                                                                                                                                            • Part of subcall function 00F39BB0: InitOnceComplete.KERNEL32(010280C4,00000000,00000000), ref: 00F39C1D
                                                                                                                                                                                                                                            • Part of subcall function 00F39940: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F39A12
                                                                                                                                                                                                                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F47EBB
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • Failed to add event category (, xrefs: 00F471F0
                                                                                                                                                                                                                                          • Failed to add event label (, xrefs: 00F47508
                                                                                                                                                                                                                                          • Failed to add reserved 2 dimension (, xrefs: 00F47834
                                                                                                                                                                                                                                          • z, xrefs: 00F47CF1
                                                                                                                                                                                                                                          • Failed to add reserved 5 dimension (, xrefs: 00F47CFD
                                                                                                                                                                                                                                          • Failed to add reserved 1 dimension (, xrefs: 00F4769E
                                                                                                                                                                                                                                          • Failed to add event action (, xrefs: 00F47379
                                                                                                                                                                                                                                          • Service has not been initialized, xrefs: 00F47E88
                                                                                                                                                                                                                                          • Failed to add reserved 3 dimension (, xrefs: 00F479CD
                                                                                                                                                                                                                                          • Failed to add reserved 4 dimension (, xrefs: 00F47B63
                                                                                                                                                                                                                                          • u, xrefs: 00F47B57
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Ios_base_dtorstd::ios_base::_$InitOnce$BeginCompleteConcurrency::cancel_current_taskInitializeMtx_unlock
                                                                                                                                                                                                                                          • String ID: Failed to add event action ($Failed to add event category ($Failed to add event label ($Failed to add reserved 1 dimension ($Failed to add reserved 2 dimension ($Failed to add reserved 3 dimension ($Failed to add reserved 4 dimension ($Failed to add reserved 5 dimension ($Service has not been initialized$u$z
                                                                                                                                                                                                                                          • API String ID: 342047005-3525645681
                                                                                                                                                                                                                                          • Opcode ID: c621c22837e51fd8d44cc24a5fbbe27e5040a4e852220f406fc0b1c852adb8bb
                                                                                                                                                                                                                                          • Instruction ID: b55d7153ae90aed8e913c36dac98aace22b640abf2299a4b3ae4a09f8afdd00a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c621c22837e51fd8d44cc24a5fbbe27e5040a4e852220f406fc0b1c852adb8bb
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9182C171914344CFDB18EF24CC95BAE7FA4AF45314F10429CEC158B292EB79DA48EBA1
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F48FB0 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 245COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • CoCreateGuid.OLE32(?), ref: 00F48FC8
                                                                                                                                                                                                                                          • StringFromCLSID.OLE32(?,?), ref: 00F48FE0
                                                                                                                                                                                                                                          • CoTaskMemFree.OLE32(?), ref: 00F49138
                                                                                                                                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 00F49173
                                                                                                                                                                                                                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F493D1
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • SOFTWARE\McAfee\WebAdvisor, xrefs: 00F491FB
                                                                                                                                                                                                                                          • Could not create registry key , xrefs: 00F4923F
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Concurrency::cancel_current_taskCreateFreeFromGuidIos_base_dtorStringTaskstd::ios_base::_
                                                                                                                                                                                                                                          • String ID: Could not create registry key $SOFTWARE\McAfee\WebAdvisor
                                                                                                                                                                                                                                          • API String ID: 3741506170-3627174789
                                                                                                                                                                                                                                          • Opcode ID: 40ea52347898911ed23c633edde6bdea25a6c0cc8cd5a137d7accbba040eaeeb
                                                                                                                                                                                                                                          • Instruction ID: 902275baf760371ecbde43480cb4d003e0f389077c3e9eab13bc030083ca0815
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 40ea52347898911ed23c633edde6bdea25a6c0cc8cd5a137d7accbba040eaeeb
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 68811671A043059FDB14EF34DC45BAF7BA8AF85310F10462DFD1697281EBB8AA08DB91
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F34C8E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 73processCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetCurrentProcessId.KERNEL32 ref: 00F34CA6
                                                                                                                                                                                                                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00F34CB8
                                                                                                                                                                                                                                          • Process32FirstW.KERNEL32(00000000,?), ref: 00F34CD3
                                                                                                                                                                                                                                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 00F34CE9
                                                                                                                                                                                                                                          • FindCloseChangeNotification.KERNEL32(00000000), ref: 00F34CFA
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Process32$ChangeCloseCreateCurrentFindFirstNextNotificationProcessSnapshotToolhelp32
                                                                                                                                                                                                                                          • String ID: saBSI.exe
                                                                                                                                                                                                                                          • API String ID: 1594840063-3955546181
                                                                                                                                                                                                                                          • Opcode ID: fc87b00d624ac456a91c98ad1182db43ce1071f88ddca3d2a51842a971bc8e81
                                                                                                                                                                                                                                          • Instruction ID: 04f611d55ee86f21749d7c4508c9bf36898aa363f903f3f65ba155d0a0cf95a0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fc87b00d624ac456a91c98ad1182db43ce1071f88ddca3d2a51842a971bc8e81
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F021EB325053009FD220EB24FC89A6F7794EB85375F150619FD25CB2D1E734B945ABA2
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F914F0 Relevance: 9.2, APIs: 6, Instructions: 215encryptionCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • CryptMsgGetParam.CRYPT32(?,00000005,00000000,?,?), ref: 00F91581
                                                                                                                                                                                                                                          • CryptMsgGetParam.CRYPT32(?,00000006,00000000,00000000,?), ref: 00F915B2
                                                                                                                                                                                                                                          • CryptMsgGetParam.CRYPT32(?,00000006,?,00000000,?), ref: 00F915DD
                                                                                                                                                                                                                                          • CertGetSubjectCertificateFromStore.CRYPT32(?,00010001,?), ref: 00F91625
                                                                                                                                                                                                                                          • CertFreeCRLContext.CRYPT32(?), ref: 00F9175E
                                                                                                                                                                                                                                            • Part of subcall function 00FAE960: _free.LIBCMT ref: 00FAE973
                                                                                                                                                                                                                                          • CertFreeCRLContext.CRYPT32(?), ref: 00F91738
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CertCryptParam$ContextFree$CertificateFromStoreSubject_free
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 4059466977-0
                                                                                                                                                                                                                                          • Opcode ID: 5f1ffa6b4d41f4159f726440fb333d00a9873f3c2ebbace51ca00f27e29ff1ee
                                                                                                                                                                                                                                          • Instruction ID: fea1e40e35d99d547eb35182869bd16d32904aba1ce0396338da795df79bdaa4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5f1ffa6b4d41f4159f726440fb333d00a9873f3c2ebbace51ca00f27e29ff1ee
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 12815A75D0021AEFEF20DFA4DC80BEEBBB4BF09354F144129E855A7251D7359A08EBA1
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F44F50 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 150COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000,4638DA1B), ref: 00F44FB5
                                                                                                                                                                                                                                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00F44FDF
                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00F44FF2
                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00F4500B
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CurrentDirectoryErrorLast
                                                                                                                                                                                                                                          • String ID: %ls\%ls
                                                                                                                                                                                                                                          • API String ID: 152501406-2125769799
                                                                                                                                                                                                                                          • Opcode ID: 0438dd1d6b7adba651a1a09b3da771ca8d019dabc11834a63f8e852d9d25c4bd
                                                                                                                                                                                                                                          • Instruction ID: 0ad5502c244f4ec645d1eb513d37060ed9f6d9554b5b206d9dd7540123d5e0be
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0438dd1d6b7adba651a1a09b3da771ca8d019dabc11834a63f8e852d9d25c4bd
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5941A7B1E006159BDB24DF79CC4576FBAB9AB44B10F24413AE805EB281EB75C9049B91
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00FBE8FE Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(?,?,00FBE8FD,00000002,00000002,?,00000002), ref: 00FBE920
                                                                                                                                                                                                                                          • TerminateProcess.KERNEL32(00000000,?,00FBE8FD,00000002,00000002,?,00000002), ref: 00FBE927
                                                                                                                                                                                                                                          • ExitProcess.KERNEL32 ref: 00FBE939
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1703294689-0
                                                                                                                                                                                                                                          • Opcode ID: 615361bb9accac00d314598f287eb77181b2fa4e7a0edd3d536e2afe2e83e976
                                                                                                                                                                                                                                          • Instruction ID: 0b4d259f2d0c0596d68ab93e0d9c48c1be642d3c94cc98b82178aed58ae4d185
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 615361bb9accac00d314598f287eb77181b2fa4e7a0edd3d536e2afe2e83e976
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 11E0B63180018CAFDF517F65ED89A983B69EB44751B044415FA098A131CB79ED46EE51
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F55318 Relevance: 69.2, APIs: 12, Strings: 27, Instructions: 928COMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 0 f55318-f5532c call fa88fa 3 f55332-f553a2 call fa8713 call f54a40 0->3 4 f5571d-f55b7a call f56440 GetModuleHandleW call f56440 call f565c0 call f56440 * 2 call f49180 0->4 11 f553a7-f5571a call f54a40 * 2 call f561f0 call fa85d4 call f54a40 * 3 call f561f0 call fa85d4 call f54a40 * 3 call f561f0 call fa85d4 call f54a40 * 3 call f561f0 call fa85d4 call fa8713 call fa85bf call fa88b0 3->11 61 f55b7f-f55b81 4->61 62 f55b7a call f49180 4->62 11->4 64 f55bc4-f55be0 call f311f3 61->64 65 f55b83-f55b8d 61->65 62->61 79 f55be6-f55c59 call f39bb0 call f39940 call f31b84 call f31be0 call f3b8a0 call f92bfd 64->79 80 f55cfc-f55d06 64->80 68 f55b93-f55ba5 65->68 69 f55c8d-f55ccd call f56440 65->69 72 f55c83-f55c8a call fa8375 68->72 73 f55bab-f55bbf 68->73 87 f55db3-f55dc0 69->87 88 f55cd3-f55cd8 69->88 72->69 73->72 79->69 175 f55c5b-f55c6d 79->175 83 f55d08-f55d1a 80->83 84 f55d3a-f55d67 call f56440 80->84 92 f55d30-f55d37 call fa8375 83->92 93 f55d1c-f55d2a 83->93 109 f55d69-f55d73 call f4aad0 84->109 110 f55d78-f55d82 84->110 89 f55dc2-f55dc7 87->89 90 f55dc9-f55dce 87->90 96 f55cdc-f55cf7 call faa3a0 88->96 97 f55cda 88->97 99 f55dd1-f55de5 89->99 90->99 92->84 93->92 112 f55e8e-f55e98 96->112 97->96 105 f55de7-f55dec 99->105 106 f55e30-f55e32 99->106 113 f56085 Concurrency::cancel_current_task 105->113 114 f55df2-f55dfd call fa8713 105->114 116 f55e64-f55e86 106->116 117 f55e34-f55e62 call fa8713 106->117 109->110 110->69 120 f55d88-f55d94 110->120 123 f55ec6-f55ee7 call f49980 112->123 124 f55e9a-f55ea6 112->124 125 f5608a call fad60f 113->125 114->125 143 f55e03-f55e2e 114->143 121 f55e8c 116->121 117->121 120->72 122 f55d9a-f55dae 120->122 121->112 122->72 142 f55eec-f55eee 123->142 132 f55ebc-f55ec3 call fa8375 124->132 133 f55ea8-f55eb6 124->133 141 f5608f-f560aa call fad60f 125->141 132->123 133->125 133->132 159 f560ac-f560b6 141->159 160 f560d8-f560fc call f567b0 141->160 148 f55ef4-f55f34 call f56440 142->148 149 f55f7f 142->149 143->121 169 f55f45-f55f4f 148->169 170 f55f36-f55f40 call f4aad0 148->170 152 f55f82-f55f93 GetModuleHandleW 149->152 157 f55f95-f55fa5 GetProcAddress 152->157 158 f55fd1 152->158 157->158 166 f55fa7-f55fc5 GetCurrentProcess 157->166 163 f55fd3-f5605c call f56440 call f336db call f3372a * 3 call fa8367 158->163 167 f560ce-f560d5 call fa8375 159->167 168 f560b8-f560c6 159->168 185 f56144-f56149 160->185 186 f560fe-f56106 160->186 166->158 215 f55fc7-f55fcb 166->215 167->160 176 f561d4-f561d9 call fad60f 168->176 177 f560cc 168->177 169->152 172 f55f51-f55f5d 169->172 170->169 182 f55f73-f55f7d call fa8375 172->182 183 f55f5f-f55f6d 172->183 175->72 188 f55c6f-f55c7d 175->188 177->167 182->152 183->141 183->182 197 f5618f-f56197 185->197 198 f5614b-f56151 185->198 194 f5613d 186->194 195 f56108-f5610c 186->195 188->72 194->185 203 f5610e-f56115 SysFreeString 195->203 204 f5611b-f56120 195->204 205 f561c0-f561d3 197->205 206 f56199-f561a2 197->206 199 f56153-f56157 198->199 200 f56188 198->200 208 f56166-f5616b 199->208 209 f56159-f56160 SysFreeString 199->209 200->197 203->204 211 f56132-f5613a call fa8375 204->211 212 f56122-f5612b call fa874c 204->212 213 f561a4-f561b2 206->213 214 f561b6-f561bd call fa8375 206->214 216 f5617d-f56185 call fa8375 208->216 217 f5616d-f56176 call fa874c 208->217 209->208 211->194 212->211 213->176 221 f561b4 213->221 214->205 215->158 222 f55fcd-f55fcf 215->222 216->200 217->216 221->214 222->163
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00FA88FA: EnterCriticalSection.KERNEL32(0102742C,?,?,?,00F4402B,0102827C,4638DA1B,?,00F41171,?), ref: 00FA8905
                                                                                                                                                                                                                                            • Part of subcall function 00FA88FA: LeaveCriticalSection.KERNEL32(0102742C,?,?,?,00F4402B,0102827C,4638DA1B,?,00F41171,?), ref: 00FA8942
                                                                                                                                                                                                                                            • Part of subcall function 00F54A40: _com_issue_error.COMSUPP ref: 00F54AD2
                                                                                                                                                                                                                                            • Part of subcall function 00F54A40: SysFreeString.OLEAUT32(-00000001), ref: 00F54AFD
                                                                                                                                                                                                                                            • Part of subcall function 00F561F0: Concurrency::cancel_current_task.LIBCPMT ref: 00F562BF
                                                                                                                                                                                                                                            • Part of subcall function 00FA88B0: EnterCriticalSection.KERNEL32(0102742C,?,?,00F44086,0102827C,00FE68E0,?), ref: 00FA88BA
                                                                                                                                                                                                                                            • Part of subcall function 00FA88B0: LeaveCriticalSection.KERNEL32(0102742C,?,?,00F44086,0102827C,00FE68E0,?), ref: 00FA88ED
                                                                                                                                                                                                                                            • Part of subcall function 00FA88B0: RtlWakeAllConditionVariable.NTDLL ref: 00FA8964
                                                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,4638DA1B,?,?), ref: 00F557B4
                                                                                                                                                                                                                                          • FindResourceW.KERNEL32(00000000,00000001,00000010), ref: 00F557C5
                                                                                                                                                                                                                                          • LoadResource.KERNEL32(00000000,00000000), ref: 00F557D1
                                                                                                                                                                                                                                          • LockResource.KERNEL32(00000000), ref: 00F557DC
                                                                                                                                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 00F56067
                                                                                                                                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 00F56085
                                                                                                                                                                                                                                          • SysFreeString.OLEAUT32 ref: 00F5610F
                                                                                                                                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 00F5615A
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CriticalSection$Concurrency::cancel_current_taskFreeResourceString$EnterLeave$ConditionFindHandleLoadLockModuleVariableWake_com_issue_error
                                                                                                                                                                                                                                          • String ID: (error)$)$0.0.0.0$4.1.1.865$EstimatedRunTime$Failed to convert wuuid to string$IsWow64Process$NO_REGKEY$PCSystemTypeEx$PowerState$PredictFailure$Root\CIMV2$Time$UUID$UUID$Version$ery)$kState$kernel32$kernel32.dll$orm$root\wmi$select EstimatedRunTime from Win32_Battery$select PCSystemTypeEx from Win32_ComputerSystem$select PowerState from Win32_ComputerSystem$select PredictFailure from MSStorageDriver_FailurePredictStatus$t
                                                                                                                                                                                                                                          • API String ID: 2830066208-329860846
                                                                                                                                                                                                                                          • Opcode ID: a26730c5e72ccd8e7faae772ec04172a11ccef9f0833b8c24aa7ca44edbc1aa2
                                                                                                                                                                                                                                          • Instruction ID: bf3937d5057ead2ec8cc23f6bc0014f1e77a6c65047b64878f5eff5e911addfd
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a26730c5e72ccd8e7faae772ec04172a11ccef9f0833b8c24aa7ca44edbc1aa2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0D823770900748DFEB25DF64D8487ADBBB1AF45304F20850DE994AB3C2DBBD9A88DB51
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F34E1F Relevance: 65.5, APIs: 9, Strings: 28, Instructions: 767COMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 1406 f34e1f-f34e73 call f5d6d0 1409 f34ec6-f34ede call f34d63 1406->1409 1410 f34e75-f34ec1 call f39bb0 call f39940 call f31b84 call f31be0 call f3136c 1406->1410 1416 f34ee0-f34f34 call f39bb0 call f39940 call f31b84 call f31be0 call f3136c 1409->1416 1417 f34f39-f34f46 CoInitializeEx 1409->1417 1410->1409 1450 f358da-f358e1 1416->1450 1419 f34f48-f34f4b 1417->1419 1420 f34f4d-f34f51 call f35a4f 1417->1420 1419->1420 1423 f34f56-f34f7c call fa8760 1419->1423 1420->1423 1433 f34f86 1423->1433 1434 f34f7e-f34f84 1423->1434 1438 f34f88-f34f99 call f35d57 1433->1438 1434->1438 1443 f34ff1-f35008 call fa8760 1438->1443 1444 f34f9b-f34fec call f39bb0 call f39940 call f31b84 call f31be0 call f3136c 1438->1444 1455 f35012 1443->1455 1456 f3500a-f35010 1443->1456 1479 f358ba-f358bf 1444->1479 1453 f358e3-f358e9 CloseHandle 1450->1453 1454 f358ef-f35913 call fa8367 1450->1454 1453->1454 1457 f35014-f3502c call f35db6 1455->1457 1456->1457 1465 f3507b-f350cc call faa920 call fa8760 1457->1465 1466 f3502e-f35076 call f39bb0 call f39940 call f31b84 call f31be0 call f3136c 1457->1466 1482 f350d8 1465->1482 1483 f350ce-f350d6 call f46bd0 1465->1483 1507 f358ab-f358b3 1466->1507 1480 f358c1 call f37d21 1479->1480 1481 f358c6-f358d2 call f359c2 1479->1481 1480->1481 1481->1450 1494 f358d4 CoUninitialize 1481->1494 1488 f350da-f350f0 call f35e16 1482->1488 1483->1488 1497 f35143-f35154 1488->1497 1498 f350f2-f3513e call f39bb0 call f39940 call f31b84 call f31be0 call f3136c 1488->1498 1494->1450 1500 f35156 1497->1500 1501 f3515a-f35176 1497->1501 1531 f35897-f3589c 1498->1531 1500->1501 1504 f35178 1501->1504 1505 f3517c-f35194 1501->1505 1504->1505 1508 f35196 1505->1508 1509 f3519a-f351a9 call f63670 1505->1509 1507->1479 1510 f358b5 call f37d21 1507->1510 1508->1509 1518 f351f7-f35233 CommandLineToArgvW 1509->1518 1519 f351ab-f351f2 call f39bb0 call f39940 call f31b84 call f31be0 1509->1519 1510->1479 1532 f35235-f35282 call f39bb0 call f39940 call f31b84 call f31be0 GetLastError 1518->1532 1533 f35284-f352b0 call faa920 GetModuleFileNameW 1518->1533 1549 f35310-f35318 call f3136c 1519->1549 1536 f358a3-f358a6 call f35946 1531->1536 1537 f3589e call f37d21 1531->1537 1568 f352ff-f3530a call f36140 1532->1568 1546 f352b2-f352fc call f39bb0 call f39940 call f31b84 call f31be0 GetLastError 1533->1546 1547 f3531d-f35367 call f3d730 call faa920 GetLongPathNameW 1533->1547 1536->1507 1537->1536 1546->1568 1564 f35419-f35520 call f3171d * 2 call f65b70 call f33899 * 2 call f349d2 call f3171d * 2 call f65b70 call f33899 * 2 call f349d2 1547->1564 1565 f3536d-f35416 call f39bb0 call f39940 call f31b84 call f31be0 GetLastError call f36140 call f361b0 call f34190 call f3136c call faea46 1547->1565 1549->1531 1615 f35522-f35591 call f34a04 call f3171d call f65b70 call f33899 * 2 1564->1615 1616 f35596-f355a8 call f349d2 1564->1616 1565->1564 1568->1549 1615->1616 1621 f35611-f3564f call f34a4a 1616->1621 1622 f355aa-f3560c call f3171d * 2 call f65b70 call f33899 * 2 1616->1622 1640 f35651-f35693 call f39bb0 call f39940 call f31b84 call f36220 call f3136c 1621->1640 1641 f35698-f356a9 call f34b92 1621->1641 1622->1621 1640->1641 1649 f3571b-f35729 call f33a88 1641->1649 1650 f356ab-f35716 call f39bb0 call f39940 call f31b84 call f31be0 1641->1650 1654 f3572e-f35733 1649->1654 1690 f35887-f3588c call f3136c 1650->1690 1657 f35739-f3573b 1654->1657 1658 f357ed-f35802 call f37d7c 1654->1658 1660 f35746-f3575b call f37d7c 1657->1660 1661 f3573d-f35740 1657->1661 1669 f35806-f35881 call f3372a call f39bb0 call f39940 call f31b84 call f31be0 call f36290 1658->1669 1670 f35804 1658->1670 1674 f3575f-f357e8 call f3372a call f39bb0 call f39940 call f31b84 call f31be0 call f36290 call f3136c 1660->1674 1675 f3575d 1660->1675 1661->1658 1661->1660 1669->1690 1670->1669 1699 f3588f-f35892 call f33899 1674->1699 1675->1674 1690->1699 1699->1531
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00F5D6D0: GetModuleHandleW.KERNEL32(kernel32.dll,00F34E6C,4638DA1B), ref: 00F5D6D5
                                                                                                                                                                                                                                            • Part of subcall function 00F5D6D0: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00F5D6E5
                                                                                                                                                                                                                                          • CoInitializeEx.OLE32(00000000,00000000,4638DA1B), ref: 00F34F3E
                                                                                                                                                                                                                                          • CommandLineToArgvW.SHELL32(?,?), ref: 00F35226
                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,00000001), ref: 00F35276
                                                                                                                                                                                                                                          • GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 00F352A8
                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,00000001), ref: 00F352F3
                                                                                                                                                                                                                                          • GetLongPathNameW.KERNEL32(?,?,00000104), ref: 00F3535F
                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,00000002), ref: 00F353AE
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,00000001), ref: 00F358E9
                                                                                                                                                                                                                                            • Part of subcall function 00F39BB0: InitOnceBeginInitialize.KERNEL32(010280C4,00000000,4638DA1B,00000000,4638DA1B,00F3A219,010280CC,?,?,?,?,?,?,00F3A219,?,?), ref: 00F39BE5
                                                                                                                                                                                                                                            • Part of subcall function 00F39BB0: InitOnceComplete.KERNEL32(010280C4,00000000,00000000), ref: 00F39C1D
                                                                                                                                                                                                                                            • Part of subcall function 00F39940: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F39A12
                                                                                                                                                                                                                                            • Part of subcall function 00F3136C: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F313A5
                                                                                                                                                                                                                                          • CoUninitialize.OLE32(?,00000001), ref: 00F358D4
                                                                                                                                                                                                                                            • Part of subcall function 00F46BD0: __Mtx_init_in_situ.LIBCPMT ref: 00F46CC0
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ErrorLast$HandleInitInitializeIos_base_dtorModuleNameOncestd::ios_base::_$AddressArgvBeginCloseCommandCompleteFileLineLongMtx_init_in_situPathProcUninitialize
                                                                                                                                                                                                                                          • String ID: /no_self_update$/store_xml_on_disk$/xml$BSI installation success. Exit code: $BootStrapInstaller$CommandLineToArgvW failed: $Ended$FALSE$Failed$Failed to allocate memory for event sender service$Failed to create xml updater logger$Failed to create xml updater signature verifier$GetLongPathName failed ($GetModuleFileName failed: $InitSecureDllLoading failed.$Install$InvalidArguments$MAIN_XML$Process$SA/WA installation failed with exit code: $SELF_UPDATE_ALLOWED$STORE_XML_ON_DISK$SaBsi.cpp$Some command line BSI variables are invalid.$Started$TRUE$WaitForOtherBSIToExit failed$failed to initialize updater
                                                                                                                                                                                                                                          • API String ID: 126520999-360321973
                                                                                                                                                                                                                                          • Opcode ID: e24de9c08a8a3b32cba121fe05b59e16c884f272b30eb2b7e1fe3e6e172abd06
                                                                                                                                                                                                                                          • Instruction ID: 3c895dd242137d2d12fddc2fc74e4f8ea410774da193b0fc7bc336a8df8b4a19
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e24de9c08a8a3b32cba121fe05b59e16c884f272b30eb2b7e1fe3e6e172abd06
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 90625C70A04248DFEF14EFA4DC95BED7BB4BF44324F508059F809A7281DB749A48DBA1
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F6EFC0 Relevance: 63.7, APIs: 13, Strings: 23, Instructions: 743COMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 1717 f6efc0-f6f053 call f841f0 call f84430 1722 f6f055-f6f06b call f68650 1717->1722 1723 f6f07f-f6f13b call f6ea50 call faa920 * 2 1717->1723 1726 f6f070-f6f07a 1722->1726 1738 f6f13d-f6f163 GetLastError call f6e9b0 1723->1738 1739 f6f168-f6f170 1723->1739 1729 f6fa58-f6fa83 call f84210 call fa8367 1726->1729 1745 f6f3cb-f6f3e6 call f68650 1738->1745 1741 f6f172-f6f186 1739->1741 1742 f6f18d-f6f1ab call f84280 1739->1742 1741->1742 1748 f6f1ad-f6f1d3 GetLastError call f6e9b0 1742->1748 1749 f6f1d8-f6f209 call f84480 1742->1749 1745->1729 1748->1745 1755 f6f236-f6f255 call f84250 1749->1755 1756 f6f20b-f6f231 GetLastError call f6e9b0 1749->1756 1761 f6f257-f6f286 call f68650 1755->1761 1762 f6f289-f6f29a call f84640 1755->1762 1756->1745 1761->1762 1766 f6f2f3-f6f300 call f84620 1762->1766 1767 f6f29c-f6f2ee GetLastError call f6e9b0 call f68650 1762->1767 1775 f6f302-f6f324 GetLastError call f6e9b0 1766->1775 1776 f6f329-f6f33f call f84560 1766->1776 1767->1729 1775->1745 1782 f6f341-f6f384 GetLastError call f6e9b0 call f68650 1776->1782 1783 f6f389-f6f3a7 call f844c0 1776->1783 1782->1729 1789 f6f3eb-f6f41a call fb594f 1783->1789 1790 f6f3a9-f6f3c6 GetLastError call f6e9b0 1783->1790 1796 f6f41c-f6f455 call f6e9b0 call f68650 1789->1796 1797 f6f45a-f6f461 1789->1797 1790->1745 1811 f6fa4f-f6fa50 call fae960 1796->1811 1799 f6f4c2-f6f4db call f708c0 1797->1799 1800 f6f463-f6f48f 1797->1800 1809 f6f4e0-f6f501 call f344b2 1799->1809 1802 f6f495-f6f49e 1800->1802 1802->1802 1805 f6f4a0-f6f4c0 call f3347e 1802->1805 1805->1809 1816 f6f503-f6f517 call f338d0 1809->1816 1817 f6f51d-f6f523 1809->1817 1815 f6fa55 1811->1815 1815->1729 1816->1817 1819 f6f525-f6f52b call f338d0 1817->1819 1820 f6f530-f6f537 1817->1820 1819->1820 1823 f6f5a0-f6f5de call f70230 1820->1823 1824 f6f539-f6f53f 1820->1824 1831 f6f657-f6f669 call f338d0 1823->1831 1832 f6f5e0-f6f5e6 1823->1832 1826 f6f561-f6f582 call f68650 1824->1826 1827 f6f541-f6f55f call f68650 1824->1827 1835 f6f585-f6f59b call f6e9b0 1826->1835 1827->1835 1843 f6f66d-f6f676 PathFileExistsW 1831->1843 1844 f6f66b 1831->1844 1836 f6f625-f6f654 1832->1836 1837 f6f5e8-f6f5f7 1832->1837 1852 f6fa44-f6fa4a call f338d0 1835->1852 1836->1831 1841 f6f60f-f6f61f call fa8375 1837->1841 1842 f6f5f9-f6f607 1837->1842 1841->1836 1846 f6fadf-f6fb00 call fad60f 1842->1846 1847 f6f60d 1842->1847 1850 f6f67c-f6f68b 1843->1850 1851 f6f83d-f6f844 1843->1851 1844->1843 1860 f6fb02-f6fb0a call fa8375 1846->1860 1861 f6fb0d-f6fb11 1846->1861 1847->1841 1857 f6f691-f6f6a4 1850->1857 1858 f6f8b8-f6f8bc 1850->1858 1855 f6f846 1851->1855 1856 f6f848-f6f86a CreateFileW 1851->1856 1852->1811 1855->1856 1862 f6f870-f6f8b3 call f6e9b0 call f68650 1856->1862 1863 f6f8fa-f6f942 call f835a0 call f845f0 1856->1863 1864 f6fada call f334d0 1857->1864 1865 f6f6aa-f6f6ae 1857->1865 1866 f6f8c0-f6f8f5 call f68650 call f6e9b0 1858->1866 1867 f6f8be 1858->1867 1860->1861 1862->1852 1893 f6f9d6-f6fa1a CloseHandle call f835f0 call f3149c 1863->1893 1894 f6f948 1863->1894 1864->1846 1870 f6f6b0-f6f6b2 1865->1870 1871 f6f6b8-f6f6f2 1865->1871 1866->1852 1867->1866 1870->1871 1878 f6f6f4-f6f6ff 1871->1878 1879 f6f739-f6f7ba call faa3a0 DeleteFileW 1871->1879 1883 f6f701-f6f706 1878->1883 1884 f6f708-f6f70f 1878->1884 1891 f6f7be-f6f7ca call fb65f0 1879->1891 1892 f6f7bc 1879->1892 1890 f6f712-f6f733 call f333c3 1883->1890 1884->1890 1890->1879 1905 f6f82e-f6f838 call f338d0 1891->1905 1906 f6f7cc-f6f7ee call fad73d call f6e9b0 1891->1906 1892->1891 1915 f6fa24-f6fa33 call f6e9b0 1893->1915 1916 f6fa1c-f6fa1f 1893->1916 1899 f6f950-f6f958 1894->1899 1899->1893 1904 f6f95a-f6f973 WriteFile 1899->1904 1908 f6fa86-f6fad5 call f6e9b0 call f68650 CloseHandle 1904->1908 1909 f6f979-f6f9c9 call f6e990 call f84140 call f845f0 1904->1909 1905->1851 1928 f6f7f2-f6f829 call f68650 call f338d0 1906->1928 1929 f6f7f0 1906->1929 1930 f6fa3a 1908->1930 1932 f6f9ce-f6f9d0 1909->1932 1915->1930 1916->1915 1928->1852 1929->1928 1930->1852 1932->1893 1932->1899
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00F6F13D
                                                                                                                                                                                                                                            • Part of subcall function 00F68650: std::locale::_Init.LIBCPMT ref: 00F6882F
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,00000006,00000000,?,?,?,00000000,?,?,?,00000000,00000000), ref: 00F6FAC8
                                                                                                                                                                                                                                            • Part of subcall function 00FAE960: _free.LIBCMT ref: 00FAE973
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CloseErrorHandleInitLast_freestd::locale::_
                                                                                                                                                                                                                                          • String ID: <$Cache-Control: no-cache$CreateFile failed (%d)$File already exists: %s$GET$HTTP GET request failed (%d), url: %s$HTTP add request headers failed (%d), url: %s$HTTP connection failed (%d), url: %s$HTTP query content length (%d), url: %s$HTTP receive response failed (%d), url: %s$HTTP send request failed (%d), url: %s, ignore proxy flag %s$HTTP status (%d) error (%d), url: %s$NWebAdvisor::NHttp::NDownloadFile::StoreOnDisk::<lambda_2af623cb1b195cc2505e5df23daadde2>::operator ()$Unable to allocate %d bytes$Unable to extract the filename from url (%s)$Unable to open HTTP transaction$Unable to rename the old file (%d): %s$WinHttpCrackUrl failed (%d), url: %s$WriteFile failed (%d)$c:\jenkins\workspace\mer_WebAdvisor_XMLUpdater_master\src\XmlUpdater\HttpsDownloadFile.cpp$empty filename$false$true
                                                                                                                                                                                                                                          • API String ID: 2292809486-983596374
                                                                                                                                                                                                                                          • Opcode ID: 3de5f89cd1004a474d2dbcda96bf03f1fcec94d904fff830911b39a1e83a266b
                                                                                                                                                                                                                                          • Instruction ID: f80d4e8ee102eea757dfb221bc8aac1855d91a96d9052c4757f029190d768ee6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3de5f89cd1004a474d2dbcda96bf03f1fcec94d904fff830911b39a1e83a266b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FE62B1B0A40619ABDB20DF10DC45FA9BBB5BF45704F0001E9F618672E2DB74AE84EF95
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F765F0 Relevance: 38.9, APIs: 4, Strings: 18, Instructions: 416COMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 2370 f765f0-f76642 2371 f76646-f7664a 2370->2371 2372 f76644 2370->2372 2373 f768c4-f768de 2371->2373 2374 f76650-f76662 call f31b0c 2371->2374 2372->2371 2375 f768e4-f76900 call f61ac0 2373->2375 2376 f76a8f-f76aa3 call fa88fa 2373->2376 2374->2373 2382 f76668-f76690 2374->2382 2384 f76902-f76912 2375->2384 2385 f7695a-f76960 2375->2385 2376->2375 2388 f76aa9-f76cc3 call f760c0 * 3 call f3347e call f760c0 * 2 call f3347e * 4 call f76400 call fa85d4 call fa85bf call fa88b0 2376->2388 2386 f76696-f766be 2382->2386 2387 f76712 2382->2387 2389 f76916-f76923 2384->2389 2390 f76914 2384->2390 2394 f76964-f769a1 call f68650 2385->2394 2395 f76962 2385->2395 2391 f766c4-f766cd 2386->2391 2392 f76719-f76727 2387->2392 2388->2375 2397 f76925-f76927 2389->2397 2398 f7692d-f7694e call f31b0c 2389->2398 2390->2389 2391->2391 2396 f766cf-f76710 call f3347e call f693a0 2391->2396 2399 f76734-f7673b 2392->2399 2400 f76729-f7672f call f338d0 2392->2400 2415 f769a4-f769ad 2394->2415 2395->2394 2396->2387 2396->2392 2397->2398 2419 f76954 2398->2419 2420 f769db-f769e4 2398->2420 2407 f7673d-f7677c call f68650 2399->2407 2408 f767a8-f767df call faa920 2399->2408 2400->2399 2423 f76780-f76789 2407->2423 2427 f767e1-f767f5 2408->2427 2428 f7681d 2408->2428 2415->2415 2417 f769af-f769b7 call f3347e 2415->2417 2433 f769bc-f769d8 call fa8367 2417->2433 2419->2385 2425 f769ea-f769f6 2419->2425 2420->2385 2420->2425 2423->2423 2432 f7678b-f767a3 call f3347e call f338d0 2423->2432 2425->2385 2434 f769fc-f76a1c SHGetKnownFolderPath 2425->2434 2427->2428 2435 f767f7-f767fd 2427->2435 2430 f7681f-f76843 GetEnvironmentVariableW 2428->2430 2436 f76845-f7684a 2430->2436 2437 f7686e-f768b1 GetLastError call f68650 2430->2437 2432->2433 2441 f76a54-f76a8a call f314a1 CoTaskMemFree call f344b2 call f338d0 2434->2441 2442 f76a1e-f76a22 2434->2442 2443 f76800 2435->2443 2436->2437 2445 f7684c-f76865 call f314a1 call f338d0 2436->2445 2465 f768b4-f768bd 2437->2465 2441->2433 2450 f76a26-f76a4f call f68650 call f314a1 2442->2450 2451 f76a24 2442->2451 2443->2428 2452 f76802-f76805 2443->2452 2445->2433 2450->2433 2451->2450 2459 f76807-f7681b 2452->2459 2460 f7686a-f7686c 2452->2460 2459->2428 2459->2443 2460->2430 2465->2465 2470 f768bf 2465->2470 2470->2373
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetEnvironmentVariableW.KERNEL32(ProgramW6432,?,00000104), ref: 00F7683B
                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00F7686E
                                                                                                                                                                                                                                          • SHGetKnownFolderPath.SHELL32(?,00000000,00000000,?,?,?,?), ref: 00F76A15
                                                                                                                                                                                                                                          • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000000,?,?,?,?), ref: 00F76A6B
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: EnvironmentErrorFolderFreeKnownLastPathTaskVariable
                                                                                                                                                                                                                                          • String ID: CSIDL_COMMON_APPDATA$CSIDL_COMMON_DOCUMENTS$CSIDL_COMMON_STARTUP$CSIDL_PROGRAM_FILES$CSIDL_PROGRAM_FILESX64$CSIDL_PROGRAM_FILESX86$CSIDL_PROGRAM_FILES_COMMON$CSIDL_SYSTEM$CSIDL_SYSTEMX86$CSIDL_WINDOWS$Error retrieving directory %s$GetEnvironmentVariable failed (%d)$NWebAdvisor::NXmlUpdater::CDirSubstitution::Substitute$ProgramFiles$ProgramW6432$Unable to get the platform$Unknown folder identifier: %s$c:\jenkins\workspace\mer_WebAdvisor_XMLUpdater_master\src\XmlUpdater\DirSubstitution.cpp
                                                                                                                                                                                                                                          • API String ID: 3946049928-1874136459
                                                                                                                                                                                                                                          • Opcode ID: c4e087e7d6bed34380f5d7bbaa2387d412763fe69a679a84b3d6140cafe0a116
                                                                                                                                                                                                                                          • Instruction ID: eb7667978e5d90e38bd822bb0ae34c211cf8bdbe865d170d225432a1397c550a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c4e087e7d6bed34380f5d7bbaa2387d412763fe69a679a84b3d6140cafe0a116
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4D02D370E00758DADB20EF64CC49BEDB7B0BF04704F148189E50DA7291EB796A88EF52
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F6EAA0 Relevance: 37.8, APIs: 8, Strings: 17, Instructions: 326COMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 2492 f6eaa0-f6eb46 call f841f0 call f84430 2497 f6eb4c-f6ebf6 call faa920 * 2 2492->2497 2498 f6ec1b-f6ec28 2492->2498 2509 f6ec2d-f6ec35 2497->2509 2510 f6ebf8-f6ec18 GetLastError call f68650 2497->2510 2499 f6ef5b-f6ef83 call f84210 call fa8367 2498->2499 2511 f6ec37-f6ec4b 2509->2511 2512 f6ec52-f6ec6d call f84280 2509->2512 2510->2498 2511->2512 2517 f6eca4-f6ecd5 call f84480 2512->2517 2518 f6ec6f-f6ec9f GetLastError call f68650 2512->2518 2523 f6ecd7-f6ed07 GetLastError call f68650 2517->2523 2524 f6ed0c-f6ed2b call f84250 2517->2524 2518->2499 2523->2499 2529 f6ed4c-f6ed5d call f84640 2524->2529 2530 f6ed2d-f6ed49 GetLastError call f68650 2524->2530 2535 f6eda5-f6edb2 call f84620 2529->2535 2536 f6ed5f-f6eda0 GetLastError call f68650 2529->2536 2530->2529 2541 f6edb4-f6ede0 GetLastError call f68650 2535->2541 2542 f6ede5-f6edfb call f84560 2535->2542 2536->2499 2541->2499 2547 f6ee34-f6ee52 call f844c0 2542->2547 2548 f6edfd-f6ee2f GetLastError call f68650 2542->2548 2553 f6ee54-f6ee83 GetLastError call f68650 2547->2553 2554 f6ee88-f6eea4 call fb594f 2547->2554 2548->2499 2553->2499 2559 f6eea6-f6eed5 call f68650 call fae960 2554->2559 2560 f6eeda-f6ef01 call f845f0 2554->2560 2559->2499 2564 f6ef06-f6ef08 2560->2564 2566 f6ef46-f6ef58 call fae960 2564->2566 2567 f6ef0a 2564->2567 2566->2499 2569 f6ef10-f6ef18 2567->2569 2569->2566 2571 f6ef1a-f6ef22 2569->2571 2573 f6ef86-f6efb9 call f68650 call fae960 2571->2573 2574 f6ef24-f6ef44 call f845f0 2571->2574 2573->2499 2574->2566 2574->2569
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetLastError.KERNEL32(4638DA1B), ref: 00F6EBF9
                                                                                                                                                                                                                                          • GetLastError.KERNEL32(4638DA1B,?,00000000,00F65D40), ref: 00F6EC70
                                                                                                                                                                                                                                          • GetLastError.KERNEL32(4638DA1B,GET,?,00000000,00000000,00000000,00000000,?,00000000,00F65D40), ref: 00F6ECD8
                                                                                                                                                                                                                                            • Part of subcall function 00F68650: std::locale::_Init.LIBCPMT ref: 00F6882F
                                                                                                                                                                                                                                          • GetLastError.KERNEL32(4638DA1B,Cache-Control: no-cache,000000FF,40000000,GET,?,00000000,00000000,00000000,00000000,?,00000000,00F65D40), ref: 00F6ED2E
                                                                                                                                                                                                                                          • GetLastError.KERNEL32(4638DA1B,true,00000000,00000000,Cache-Control: no-cache,000000FF,40000000,GET,?,00000000,00000000,00000000,00000000,?,00000000,00F65D40), ref: 00F6ED75
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ErrorLast$Initstd::locale::_
                                                                                                                                                                                                                                          • String ID: <$Cache-Control: no-cache$GET$HTTP GET request failed (%d), url: %s$HTTP add request headers failed (%d), url: %s$HTTP connection failed (%d), url: %s$HTTP query content length (%d), url: %s$HTTP receive response failed (%d), url: %s$HTTP send request failed (%d), url: %s, proxy ignore flag %s$HTTP status (%d) error (%d), url: %s$NWebAdvisor::NHttp::NDownloadFile::From::<lambda_1effc98e56da47b46c9f3c737083b6c0>::operator ()$Not enough space in buffer: bufferLength(%d) Read(%d)$Unable to allocate %d bytes$WinHttpCrackUrl failed (%d), url: %s$c:\jenkins\workspace\mer_WebAdvisor_XMLUpdater_master\src\XmlUpdater\HttpsDownloadFile.cpp$false$true
                                                                                                                                                                                                                                          • API String ID: 1579124236-1699437461
                                                                                                                                                                                                                                          • Opcode ID: 3062095cbe39ed59201067a7c822f4d5a2992b35a0db0858ea50e7807f0b75ce
                                                                                                                                                                                                                                          • Instruction ID: 6b3e21db47123bfe9c326b2791e520e56c24880efa01ef4223e78e4bf504c21f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3062095cbe39ed59201067a7c822f4d5a2992b35a0db0858ea50e7807f0b75ce
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 30C1A5F1A4071DAAEB209F10CC42FE9B764AF14B04F404199F709771C2E7B5AA84DF6A
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F6BC60 Relevance: 33.8, APIs: 2, Strings: 17, Instructions: 570fileCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 2581 f6bc60-f6bd0a call f3347e 2584 f6bd0e-f6bd14 2581->2584 2585 f6bd0c 2581->2585 2586 f6bd16 2584->2586 2587 f6bd18-f6bd39 call f6fbe0 2584->2587 2585->2584 2586->2587 2590 f6bd6e-f6bd94 PathFindExtensionW call fb2041 2587->2590 2591 f6bd3b-f6bd3f 2587->2591 2598 f6bd96-f6bda8 call fb2041 2590->2598 2599 f6bdaa-f6bdbe 2590->2599 2593 f6bd43-f6bd63 call f68650 2591->2593 2594 f6bd41 2591->2594 2600 f6be5d-f6be5f 2593->2600 2601 f6bd69 2593->2601 2594->2593 2598->2599 2611 f6bdea-f6bdfa call f6bbf0 2598->2611 2603 f6bdc0-f6bdc5 call f921d0 2599->2603 2604 f6bdc9-f6bdce call f7eb20 2599->2604 2605 f6be63-f6be69 2600->2605 2606 f6be4b-f6be57 DeleteFileW 2601->2606 2612 f6bdc7 2603->2612 2614 f6bdd1-f6bdd3 2604->2614 2609 f6be6b-f6be7d 2605->2609 2610 f6be99-f6beb3 2605->2610 2606->2600 2615 f6be8f-f6be96 call fa8375 2609->2615 2616 f6be7f-f6be8d 2609->2616 2618 f6beb5-f6bec7 2610->2618 2619 f6bee3-f6bf00 call fa8367 2610->2619 2629 f6be61 2611->2629 2630 f6bdfc-f6be0e 2611->2630 2612->2614 2614->2611 2620 f6bdd5-f6bde8 2614->2620 2615->2610 2616->2615 2622 f6bf03-f6bf63 call fad60f 2616->2622 2624 f6bed9-f6bee0 call fa8375 2618->2624 2625 f6bec9-f6bed7 2618->2625 2628 f6be37-f6be48 call f68650 2620->2628 2639 f6bf74-f6c0e0 call f3347e call f667e0 call f338d0 call f3347e call f667e0 call f338d0 call f3347e call f667e0 call f338d0 call f3347e call f667e0 call f338d0 call f3347e call f667e0 call f338d0 2622->2639 2640 f6bf65-f6bf6f 2622->2640 2624->2619 2625->2622 2625->2624 2628->2606 2629->2605 2635 f6be12-f6be1f call fb2041 2630->2635 2636 f6be10 2630->2636 2635->2629 2648 f6be21-f6be32 2635->2648 2636->2635 2686 f6c0e6-f6c0ee 2639->2686 2687 f6c37d-f6c382 2639->2687 2644 f6c387-f6c39d call f68650 2640->2644 2651 f6c39f-f6c3a4 2644->2651 2648->2628 2653 f6c3a6-f6c3b0 2651->2653 2654 f6c3c7-f6c3e4 call fa8367 2651->2654 2653->2654 2656 f6c3b2-f6c3be 2653->2656 2656->2654 2663 f6c3c0-f6c3c2 2656->2663 2663->2654 2686->2687 2688 f6c0f4-f6c0fc 2686->2688 2687->2644 2689 f6c115-f6c121 call f314c1 2688->2689 2690 f6c0fe-f6c113 call f314a1 2688->2690 2695 f6c126-f6c13c call f344b2 2689->2695 2690->2695 2698 f6c13e-f6c147 call f338d0 2695->2698 2699 f6c14c-f6c153 2695->2699 2698->2699 2700 f6c166-f6c171 2699->2700 2701 f6c155-f6c161 call f338d0 2699->2701 2704 f6c173-f6c186 call f314a1 2700->2704 2705 f6c188-f6c197 call f314c1 2700->2705 2701->2700 2710 f6c19a-f6c1b0 call f344b2 2704->2710 2705->2710 2713 f6c1b2-f6c1be call f338d0 2710->2713 2714 f6c1c3-f6c1ca 2710->2714 2713->2714 2715 f6c1cc-f6c1d8 call f338d0 2714->2715 2716 f6c1dd-f6c1e5 2714->2716 2715->2716 2719 f6c1e7-f6c1fa call f314a1 2716->2719 2720 f6c1fc-f6c20b call f314c1 2716->2720 2725 f6c20e-f6c221 call f344b2 2719->2725 2720->2725 2728 f6c223-f6c22c call f338d0 2725->2728 2729 f6c231-f6c238 2725->2729 2728->2729 2731 f6c245-f6c25e call f6a380 2729->2731 2732 f6c23a-f6c240 call f338d0 2729->2732 2736 f6c346-f6c34b 2731->2736 2737 f6c264-f6c271 call f6a380 2731->2737 2732->2731 2738 f6c34d-f6c35e call f68650 2736->2738 2737->2736 2743 f6c277-f6c284 call f6a380 2737->2743 2744 f6c361 2738->2744 2743->2736 2749 f6c28a-f6c297 2743->2749 2746 f6c363-f6c37b call f338d0 * 3 2744->2746 2746->2651 2751 f6c29b-f6c2aa call fd4db0 2749->2751 2752 f6c299 2749->2752 2758 f6c2cf-f6c301 call f314a1 call f667e0 call f338d0 2751->2758 2759 f6c2ac-f6c2ca call f68650 2751->2759 2752->2751 2769 f6c323-f6c33d call f6bc60 2758->2769 2770 f6c303-f6c310 call f6a380 2758->2770 2759->2744 2773 f6c342-f6c344 2769->2773 2775 f6c312-f6c319 2770->2775 2776 f6c31b-f6c31f 2770->2776 2773->2746 2775->2738 2776->2769 2777 f6c321 2776->2777 2777->2769
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • PathFindExtensionW.SHLWAPI(00000000,?,?,?,?,0100BFD0,00000000,4638DA1B), ref: 00F6BD7A
                                                                                                                                                                                                                                          • DeleteFileW.KERNEL32(00000000), ref: 00F6BE57
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: DeleteExtensionFileFindPath
                                                                                                                                                                                                                                          • String ID: .cab$.exe$DestDir$DestFile$Location$MD5$NWebAdvisor::NXmlUpdater::CDownloadCommand::DownloadCommand$NWebAdvisor::NXmlUpdater::CDownloadCommand::Execute$Unable to create destination directory (%d)$Unable to download %s$Unable to get substitute download variables$Unable to read Location and/or DestDir attribute of DOWNLOAD command$Unable to verify MD5, deleting file: %s$Unable to verify signature, deleting file: %s$c:\jenkins\workspace\mer_WebAdvisor_XMLUpdater_master\src\XmlUpdater\DownloadCommand.cpp$extra$invalid substitutor
                                                                                                                                                                                                                                          • API String ID: 3618814920-733304951
                                                                                                                                                                                                                                          • Opcode ID: 8a0b2bd763dcc116d75f70d731b99e0958959b4566cdecbbc1f2e7cea5be374b
                                                                                                                                                                                                                                          • Instruction ID: cd233088d17f492174854586b6858ec08a003bb20a5c2ea73b76babc6e05b616
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8a0b2bd763dcc116d75f70d731b99e0958959b4566cdecbbc1f2e7cea5be374b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3822C171E00208DBDF20DFA4CC95BEEB7B4BF04314F104119E955A7292DB79AA48EFA1
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F40890 Relevance: 28.6, APIs: 12, Strings: 4, Instructions: 560COMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 3011 f40890-f408e2 call f93bab 3014 f41045-f41046 call f93faf 3011->3014 3015 f408e8-f408ee 3011->3015 3022 f4104b call fad60f 3014->3022 3016 f408f4-f4090b ConvertStringSecurityDescriptorToSecurityDescriptorW 3015->3016 3017 f40a53-f40a70 call faa920 3015->3017 3020 f40911-f40939 3016->3020 3021 f4101f-f41042 call f93bbc call fa8367 3016->3021 3029 f40a75-f40ab6 call f43110 3017->3029 3030 f40a72 3017->3030 3025 f4093d-f40942 3020->3025 3026 f4093b 3020->3026 3028 f41050-f41053 3022->3028 3031 f40945-f4094e 3025->3031 3026->3025 3033 f41055-f4105a 3028->3033 3034 f4105c-f41069 3028->3034 3043 f40abc-f40ac0 3029->3043 3044 f40fa9-f4101c call f42b90 call f92bfd 3029->3044 3030->3029 3031->3031 3036 f40950-f4099f call f3f520 call f3e640 3031->3036 3038 f4106c-f41098 call f32a82 call f328d1 call faa332 3033->3038 3034->3038 3056 f409a4-f409bf 3036->3056 3048 f40ac6-f40bba call fa8713 call faa920 call f93367 call f93184 call f933f6 call f33128 call f93084 call f931e9 3043->3048 3049 f40d19-f40d26 3043->3049 3044->3021 3133 f40bbc-f40bcc call f93367 3048->3133 3134 f40bef-f40c12 call f95688 3048->3134 3051 f40d28 3049->3051 3052 f40d2a-f40d53 call f389b0 3049->3052 3051->3052 3075 f40e00-f40e0a 3052->3075 3076 f40d59-f40d70 call f32c9c 3052->3076 3057 f409c1-f409d6 3056->3057 3058 f409fc-f40a1b 3056->3058 3063 f409ec-f409f9 call fa8375 3057->3063 3064 f409d8-f409e6 3057->3064 3065 f40a31-f40a40 3058->3065 3066 f40a1d-f40a1f 3058->3066 3063->3058 3064->3022 3064->3063 3071 f40a51 3065->3071 3072 f40a42-f40a4f LocalFree 3065->3072 3066->3021 3074 f40a25-f40a2c LocalFree 3066->3074 3071->3017 3072->3017 3074->3021 3075->3044 3082 f40e10-f40e3a call f32c9c 3075->3082 3087 f40d72-f40d8a 3076->3087 3088 f40db8-f40dc3 call f938a1 3076->3088 3092 f40e3c-f40e6c call f42310 3082->3092 3093 f40e89-f40eb2 call f938a1 3082->3093 3087->3088 3114 f40d8c-f40db2 3087->3114 3099 f40dc5-f40dc8 call f32510 3088->3099 3100 f40dcd-f40de5 3088->3100 3110 f40e6e-f40e79 call f938a1 3092->3110 3107 f40eb4-f40eb7 call f32510 3093->3107 3108 f40ebc 3093->3108 3099->3100 3104 f40de7-f40df4 3100->3104 3105 f40dfc 3100->3105 3104->3105 3105->3075 3107->3108 3113 f40ec0-f40ed4 3108->3113 3126 f40e83-f40e87 3110->3126 3127 f40e7b-f40e7e call f32510 3110->3127 3115 f40ed6-f40ee3 3113->3115 3116 f40eeb-f40f0d 3113->3116 3114->3028 3114->3088 3115->3116 3116->3044 3120 f40f13 3116->3120 3124 f40f15-f40f18 3120->3124 3125 f40f1e-f40f2b call f43030 3120->3125 3124->3044 3124->3125 3136 f40f2d-f40f63 3125->3136 3137 f40f78-f40f82 3125->3137 3126->3113 3127->3126 3148 f40bde-f40bec call f933bf 3133->3148 3149 f40bce-f40bd9 3133->3149 3145 f40c14-f40c16 3134->3145 3146 f40c5f-f40c7e call f42c50 3134->3146 3136->3137 3140 f40f65-f40f68 3136->3140 3141 f40f84 3137->3141 3142 f40f86-f40fa4 call f3e790 call f41740 3137->3142 3140->3034 3147 f40f6e-f40f73 3140->3147 3141->3142 3142->3044 3153 f40c21-f40c2d 3145->3153 3154 f40c18-f40c1e call fae960 3145->3154 3160 f40c80-f40c9a 3146->3160 3161 f40caf-f40cb4 3146->3161 3147->3038 3148->3134 3149->3148 3159 f40c30-f40c34 3153->3159 3154->3153 3159->3159 3163 f40c36-f40c4e call fb594f 3159->3163 3160->3161 3177 f40c9c-f40caa 3160->3177 3165 f40cb6-f40ccd 3161->3165 3166 f40ce2-f40ceb 3161->3166 3163->3146 3171 f40c50-f40c5c call faa3a0 3163->3171 3165->3166 3178 f40ccf-f40cdd 3165->3178 3166->3049 3168 f40ced-f40d04 3166->3168 3168->3049 3181 f40d06-f40d14 3168->3181 3171->3146 3177->3161 3178->3166 3181->3049
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(D:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A;OICI;GRGWGX;;;AU)(A;OICI;GA;;;BA),00000001,?,00000000), ref: 00F40903
                                                                                                                                                                                                                                          • LocalFree.KERNEL32(?,?), ref: 00F40A26
                                                                                                                                                                                                                                          • LocalFree.KERNEL32(?,?), ref: 00F40A43
                                                                                                                                                                                                                                            • Part of subcall function 00F32510: __EH_prolog3_catch.LIBCMT ref: 00F32517
                                                                                                                                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00F40B08
                                                                                                                                                                                                                                          • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00F40B50
                                                                                                                                                                                                                                          • std::_Locinfo::~_Locinfo.LIBCPMT ref: 00F40B86
                                                                                                                                                                                                                                          • std::locale::_Init.LIBCPMT ref: 00F40B97
                                                                                                                                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00F40BC0
                                                                                                                                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00F40BE1
                                                                                                                                                                                                                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00F40BF2
                                                                                                                                                                                                                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F41017
                                                                                                                                                                                                                                          • __Mtx_unlock.LIBCPMT ref: 00F41020
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: std::_$Lockit$DescriptorFreeLocalLockit::_Securitystd::locale::_$AddfacConvertH_prolog3_catchInitIos_base_dtorLocimp::_Locimp_LocinfoLocinfo::_Locinfo::~_Locinfo_ctorLockit::~_Mtx_unlockStringstd::ios_base::_
                                                                                                                                                                                                                                          • String ID: D:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A;OICI;GRGWGX;;;AU)(A;OICI;GA;;;BA)$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                                                                                                                                                                          • API String ID: 2168703646-3388121372
                                                                                                                                                                                                                                          • Opcode ID: e25c346c4bd47407d028d544e61d54836776287687e1b3bc3801b70fa3adcbfe
                                                                                                                                                                                                                                          • Instruction ID: 74c3d282057e143f80ed37d3d89522bc46e5f855d1554e36d1bba3206737c726
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e25c346c4bd47407d028d544e61d54836776287687e1b3bc3801b70fa3adcbfe
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 40327A70D00258CFDB24DFA8C985BDDBBB0BF08314F1440A9E949AB291DB75AE84DF91
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F69400 Relevance: 25.4, APIs: 7, Strings: 7, Instructions: 870libraryloaderCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 3640 f69400-f69483 GetModuleHandleW 3641 f69485-f69495 GetProcAddress 3640->3641 3642 f694c2 3640->3642 3641->3642 3643 f69497-f694b3 GetCurrentProcess 3641->3643 3644 f694c4-f694dc 3642->3644 3643->3642 3648 f694b5-f694bc 3643->3648 3645 f694e0-f694e9 3644->3645 3645->3645 3647 f694eb-f6952e call f3347e 3645->3647 3652 f69530-f69539 3647->3652 3648->3642 3651 f694be-f694c0 3648->3651 3651->3644 3652->3652 3653 f6953b-f69567 call f3347e call f68c60 3652->3653 3658 f69585-f69592 3653->3658 3659 f69569-f69580 call f3347e 3653->3659 3661 f69594-f695a9 3658->3661 3662 f695c9-f695f6 3658->3662 3659->3658 3665 f695bf-f695c6 call fa8375 3661->3665 3666 f695ab-f695b9 3661->3666 3663 f6962d-f69674 call f691a0 3662->3663 3664 f695f8-f6960d 3662->3664 3678 f69677-f69680 3663->3678 3667 f69623-f6962a call fa8375 3664->3667 3668 f6960f-f6961d 3664->3668 3665->3662 3666->3665 3670 f6a108-f6a121 call fad60f 3666->3670 3667->3663 3668->3667 3668->3670 3678->3678 3679 f69682-f696a8 call f3347e call f68c60 3678->3679 3684 f696be-f696cb 3679->3684 3685 f696aa-f696b1 3679->3685 3686 f69702-f6972f 3684->3686 3687 f696cd-f696e2 3684->3687 3688 f696b5-f696b9 call f3347e 3685->3688 3689 f696b3 3685->3689 3693 f69766-f697c9 call faa920 GetModuleFileNameW 3686->3693 3694 f69731-f69746 3686->3694 3691 f696e4-f696f2 3687->3691 3692 f696f8-f696ff call fa8375 3687->3692 3688->3684 3689->3688 3691->3692 3692->3686 3702 f69816-f69884 call f70750 call f33f22 call f338d0 call faa920 GetLongPathNameW 3693->3702 3703 f697cb-f697fb GetLastError call f68650 3693->3703 3696 f6975c-f69763 call fa8375 3694->3696 3697 f69748-f69756 3694->3697 3696->3693 3697->3696 3722 f69886-f698e8 GetLastError call f68650 call faea46 3702->3722 3723 f698eb-f698f1 3702->3723 3709 f69800-f69809 3703->3709 3709->3709 3711 f6980b-f69811 3709->3711 3713 f6990b-f69948 call f3347e 3711->3713 3719 f69950-f69959 3713->3719 3719->3719 3721 f6995b-f69987 call f3347e call f68c60 3719->3721 3734 f699a5-f699b2 3721->3734 3735 f69989-f699a0 call f3347e 3721->3735 3722->3723 3725 f698f4-f698fd 3723->3725 3725->3725 3728 f698ff-f6990a 3725->3728 3728->3713 3737 f699b4-f699c9 3734->3737 3738 f699e9-f69a16 3734->3738 3735->3734 3739 f699df-f699e6 call fa8375 3737->3739 3740 f699cb-f699d9 3737->3740 3741 f69a4d-f69abf call f3347e 3738->3741 3742 f69a18-f69a2d 3738->3742 3739->3738 3740->3739 3750 f69ac0-f69ac9 3741->3750 3744 f69a43-f69a4a call fa8375 3742->3744 3745 f69a2f-f69a3d 3742->3745 3744->3741 3745->3744 3750->3750 3752 f69acb-f69af7 call f3347e call f68c60 3750->3752 3757 f69b15-f69b22 3752->3757 3758 f69af9-f69b10 call f3347e 3752->3758 3760 f69b24-f69b39 3757->3760 3761 f69b59-f69b86 3757->3761 3758->3757 3764 f69b4f-f69b56 call fa8375 3760->3764 3765 f69b3b-f69b49 3760->3765 3762 f69bbd-f69c2f call f3347e 3761->3762 3763 f69b88-f69b9d 3761->3763 3774 f69c30-f69c39 3762->3774 3766 f69bb3-f69bba call fa8375 3763->3766 3767 f69b9f-f69bad 3763->3767 3764->3761 3765->3764 3766->3762 3767->3766 3774->3774 3775 f69c3b-f69c67 call f3347e call f68c60 3774->3775 3780 f69c85-f69c92 3775->3780 3781 f69c69-f69c80 call f3347e 3775->3781 3782 f69c94-f69ca9 3780->3782 3783 f69cc9-f69cf6 3780->3783 3781->3780 3785 f69cbf-f69cc6 call fa8375 3782->3785 3786 f69cab-f69cb9 3782->3786 3787 f69d2d-f69d69 call f68f20 call f6a130 3783->3787 3788 f69cf8-f69d0d 3783->3788 3785->3783 3786->3785 3799 f69d72-f69dae call f68f60 call f6a130 3787->3799 3800 f69d6b-f69d6d 3787->3800 3790 f69d23-f69d2a call fa8375 3788->3790 3791 f69d0f-f69d1d 3788->3791 3790->3787 3791->3790 3805 f69db7-f69df3 call f68ee0 call f6a130 3799->3805 3806 f69db0-f69db2 3799->3806 3800->3799 3811 f69df5-f69df7 3805->3811 3812 f69dfc-f69e38 call f69120 call f6a130 3805->3812 3806->3805 3811->3812 3817 f69e41-f69e7d call f69120 call f6a130 3812->3817 3818 f69e3a-f69e3c 3812->3818 3823 f69e86-f69ec2 call f690e0 call f6a130 3817->3823 3824 f69e7f-f69e81 3817->3824 3818->3817 3829 f69ec4-f69ec6 3823->3829 3830 f69ecb-f69f07 call f69160 call f6a130 3823->3830 3824->3823 3829->3830 3835 f69f10-f69f4c call f69060 call f6a130 3830->3835 3836 f69f09-f69f0b 3830->3836 3841 f69f55-f69f91 call f69060 call f6a130 3835->3841 3842 f69f4e-f69f50 3835->3842 3836->3835 3847 f69f93-f69f95 3841->3847 3848 f69f9a-f69fd6 call f69020 call f6a130 3841->3848 3842->3841 3847->3848 3853 f69fdf-f6a01b call f690a0 call f6a130 3848->3853 3854 f69fd8-f69fda 3848->3854 3859 f6a024-f6a060 call f68fa0 call f6a130 3853->3859 3860 f6a01d-f6a01f 3853->3860 3854->3853 3865 f6a062-f6a064 3859->3865 3866 f6a069-f6a0a5 call f68fe0 call f6a130 3859->3866 3860->3859 3865->3866 3871 f6a0a7-f6a0a9 3866->3871 3872 f6a0ae-f6a0e3 call f68ea0 call f6a130 3866->3872 3871->3872 3877 f6a0e5-f6a0e7 3872->3877 3878 f6a0ec-f6a107 call fa8367 3872->3878 3877->3878
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(kernel32,4638DA1B,?), ref: 00F6947B
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00F6948B
                                                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(?), ref: 00F694A8
                                                                                                                                                                                                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,0100A52C,0100A52A), ref: 00F697C1
                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,0100A52C,0100A52A), ref: 00F697CB
                                                                                                                                                                                                                                          • GetLongPathNameW.KERNEL32(00000000,?,00000104), ref: 00F6987C
                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00F6989A
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • GetLongPathName failed (%d) for %s, xrefs: 00F698A2
                                                                                                                                                                                                                                          • c:\jenkins\workspace\mer_WebAdvisor_XMLUpdater_master\src\XmlUpdater\SubstitutionManager.cpp, xrefs: 00F697E1, 00F698B1
                                                                                                                                                                                                                                          • 1.1, xrefs: 00F69BCB
                                                                                                                                                                                                                                          • kernel32, xrefs: 00F69472
                                                                                                                                                                                                                                          • GetModuleFileName failed (%d), xrefs: 00F697D2
                                                                                                                                                                                                                                          • NWebAdvisor::NXmlUpdater::CSubstitutionManager::GetExtractDir, xrefs: 00F697DC, 00F698AC
                                                                                                                                                                                                                                          • IsWow64Process, xrefs: 00F69485
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ErrorLastModuleName$AddressCurrentFileHandleLongPathProcProcess
                                                                                                                                                                                                                                          • String ID: 1.1$GetLongPathName failed (%d) for %s$GetModuleFileName failed (%d)$IsWow64Process$NWebAdvisor::NXmlUpdater::CSubstitutionManager::GetExtractDir$c:\jenkins\workspace\mer_WebAdvisor_XMLUpdater_master\src\XmlUpdater\SubstitutionManager.cpp$kernel32
                                                                                                                                                                                                                                          • API String ID: 891933594-2307011595
                                                                                                                                                                                                                                          • Opcode ID: 450c5fed2bf8b9ae6364a695bc43dd9efc57b88b5fac526c0e10d7ff0204ca5f
                                                                                                                                                                                                                                          • Instruction ID: 528181ef4fea731cad819e7268a4781a6931e650cc075faf5c9542427e69109a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 450c5fed2bf8b9ae6364a695bc43dd9efc57b88b5fac526c0e10d7ff0204ca5f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5172BCB0A002189FDF24CF64CC85B9DB7B9AF49314F1041DCE209AB291DBB9AE85DF55
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F559AA Relevance: 24.9, APIs: 7, Strings: 7, Instructions: 407COMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 3881 f559aa-f55b7a call f56440 call f49180 3894 f55b7f-f55b81 3881->3894 3895 f55b7a call f49180 3881->3895 3896 f55bc4-f55be0 call f311f3 3894->3896 3897 f55b83-f55b8d 3894->3897 3895->3894 3907 f55be6-f55c59 call f39bb0 call f39940 call f31b84 call f31be0 call f3b8a0 call f92bfd 3896->3907 3908 f55cfc-f55d06 3896->3908 3898 f55b93-f55ba5 3897->3898 3899 f55c8d-f55ccd call f56440 3897->3899 3901 f55c83-f55c8a call fa8375 3898->3901 3902 f55bab-f55bbf 3898->3902 3914 f55db3-f55dc0 3899->3914 3915 f55cd3-f55cd8 3899->3915 3901->3899 3902->3901 3907->3899 3991 f55c5b-f55c6d 3907->3991 3910 f55d08-f55d1a 3908->3910 3911 f55d3a-f55d67 call f56440 3908->3911 3918 f55d30-f55d37 call fa8375 3910->3918 3919 f55d1c-f55d2a 3910->3919 3933 f55d69-f55d73 call f4aad0 3911->3933 3934 f55d78-f55d82 3911->3934 3916 f55dc2-f55dc7 3914->3916 3917 f55dc9-f55dce 3914->3917 3922 f55cdc-f55cf7 call faa3a0 3915->3922 3923 f55cda 3915->3923 3925 f55dd1-f55de5 3916->3925 3917->3925 3918->3911 3919->3918 3936 f55e8e-f55e98 3922->3936 3923->3922 3930 f55de7-f55dec 3925->3930 3931 f55e30-f55e32 3925->3931 3937 f56085 Concurrency::cancel_current_task 3930->3937 3938 f55df2-f55dfd call fa8713 3930->3938 3939 f55e64-f55e86 3931->3939 3940 f55e34-f55e62 call fa8713 3931->3940 3933->3934 3934->3899 3943 f55d88-f55d94 3934->3943 3946 f55ec6-f55eee call f49980 3936->3946 3947 f55e9a-f55ea6 3936->3947 3948 f5608a call fad60f 3937->3948 3938->3948 3964 f55e03-f55e2e 3938->3964 3944 f55e8c 3939->3944 3940->3944 3943->3901 3945 f55d9a-f55dae 3943->3945 3944->3936 3945->3901 3968 f55ef4-f55f34 call f56440 3946->3968 3969 f55f7f 3946->3969 3954 f55ebc-f55ec3 call fa8375 3947->3954 3955 f55ea8-f55eb6 3947->3955 3962 f5608f-f560aa call fad60f 3948->3962 3954->3946 3955->3948 3955->3954 3977 f560ac-f560b6 3962->3977 3978 f560d8-f560fc call f567b0 3962->3978 3964->3944 3986 f55f45-f55f4f 3968->3986 3987 f55f36-f55f40 call f4aad0 3968->3987 3971 f55f82-f55f93 GetModuleHandleW 3969->3971 3975 f55f95-f55fa5 GetProcAddress 3971->3975 3976 f55fd1 3971->3976 3975->3976 3983 f55fa7-f55fc5 GetCurrentProcess 3975->3983 3980 f55fd3-f5605c call f56440 call f336db call f3372a * 3 call fa8367 3976->3980 3984 f560ce-f560d5 call fa8375 3977->3984 3985 f560b8-f560c6 3977->3985 3999 f56144-f56149 3978->3999 4000 f560fe-f56106 3978->4000 3983->3976 4028 f55fc7-f55fcb 3983->4028 3984->3978 3992 f561d4-f561d9 call fad60f 3985->3992 3993 f560cc 3985->3993 3986->3971 3988 f55f51-f55f5d 3986->3988 3987->3986 3996 f55f73-f55f7d call fa8375 3988->3996 3997 f55f5f-f55f6d 3988->3997 3991->3901 4002 f55c6f-f55c7d 3991->4002 3993->3984 3996->3971 3997->3962 3997->3996 4010 f5618f-f56197 3999->4010 4011 f5614b-f56151 3999->4011 4007 f5613d 4000->4007 4008 f56108-f5610c 4000->4008 4002->3901 4007->3999 4016 f5610e-f56115 SysFreeString 4008->4016 4017 f5611b-f56120 4008->4017 4018 f561c0-f561d3 4010->4018 4019 f56199-f561a2 4010->4019 4012 f56153-f56157 4011->4012 4013 f56188 4011->4013 4021 f56166-f5616b 4012->4021 4022 f56159-f56160 SysFreeString 4012->4022 4013->4010 4016->4017 4024 f56132-f5613a call fa8375 4017->4024 4025 f56122-f5612b call fa874c 4017->4025 4026 f561a4-f561b2 4019->4026 4027 f561b6-f561bd call fa8375 4019->4027 4029 f5617d-f56185 call fa8375 4021->4029 4030 f5616d-f56176 call fa874c 4021->4030 4022->4021 4024->4007 4025->4024 4026->3992 4034 f561b4 4026->4034 4027->4018 4028->3976 4035 f55fcd-f55fcf 4028->4035 4029->4013 4030->4029 4034->4027 4035->3980
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 00F56067
                                                                                                                                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 00F56085
                                                                                                                                                                                                                                          • SysFreeString.OLEAUT32 ref: 00F5610F
                                                                                                                                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 00F5615A
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Concurrency::cancel_current_taskFreeString
                                                                                                                                                                                                                                          • String ID: )$IsWow64Process$NO_REGKEY$UUID$UUID$kernel32$orm
                                                                                                                                                                                                                                          • API String ID: 3597043392-3766208032
                                                                                                                                                                                                                                          • Opcode ID: 2ebb753fa2319cf47cd8ebcbf3ed100562193ed32e8aef00a874e2469f839794
                                                                                                                                                                                                                                          • Instruction ID: c2952bc519fdbd4db41bcd54b4324c428db69d6c8881c896064bff51e7686eeb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2ebb753fa2319cf47cd8ebcbf3ed100562193ed32e8aef00a874e2469f839794
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8CE147B09007489FEB28DF74CC487ADBBB1AF41711F24461CE855AB3C2DB789A88DB51
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F66560 Relevance: 22.7, APIs: 14, Strings: 1, Instructions: 211memoryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 4050 f66560-f6658d 4051 f6658f-f66592 GlobalFree 4050->4051 4052 f66599-f6659e 4050->4052 4051->4052 4053 f665a0-f665a3 GlobalFree 4052->4053 4054 f665aa-f665af 4052->4054 4053->4054 4055 f665b1-f665b4 GlobalFree 4054->4055 4056 f665bb-f665c8 4054->4056 4055->4056 4058 f665ce-f665d3 4056->4058 4059 f6668c 4056->4059 4060 f666cd-f666d1 4058->4060 4061 f665d9-f665de 4058->4061 4062 f6668e-f66693 4059->4062 4067 f666d3-f666d7 4060->4067 4068 f666dd-f666ef 4060->4068 4063 f665e0-f665e3 GlobalFree 4061->4063 4064 f665ea-f665ec 4061->4064 4065 f66695-f66698 GlobalFree 4062->4065 4066 f6669f-f666a4 4062->4066 4063->4064 4069 f665ee-f665f0 4064->4069 4070 f6662b-f66633 4064->4070 4065->4066 4071 f666a6-f666a9 GlobalFree 4066->4071 4072 f666b0-f666b6 4066->4072 4067->4068 4073 f667d0-f667d2 4067->4073 4074 f666f1-f666fb 4068->4074 4075 f666fd-f66704 4068->4075 4077 f665f3-f665fc 4069->4077 4080 f66635-f66638 GlobalFree 4070->4080 4081 f6663f-f66641 4070->4081 4071->4072 4078 f666bb-f666cc call fa8367 4072->4078 4079 f666b8-f666b9 GlobalFree 4072->4079 4073->4062 4076 f6670b-f6672a 4074->4076 4075->4076 4076->4059 4089 f66730-f66751 4076->4089 4077->4077 4082 f665fe-f66618 GlobalAlloc 4077->4082 4079->4078 4080->4081 4081->4073 4084 f66647-f6664c 4081->4084 4082->4059 4086 f6661a-f66629 call fad660 4082->4086 4088 f66650-f66659 4084->4088 4086->4059 4086->4070 4088->4088 4091 f6665b-f66675 GlobalAlloc 4088->4091 4095 f6675e-f6676b 4089->4095 4091->4059 4093 f66677-f66686 call fad660 4091->4093 4093->4059 4093->4073 4098 f66794-f66798 4095->4098 4099 f6676d-f66779 4095->4099 4102 f667ae-f667ba 4098->4102 4103 f6679a-f667a9 call f66a70 call f66af0 4098->4103 4100 f66781-f66786 4099->4100 4101 f6677b-f6677e GlobalFree 4099->4101 4100->4059 4106 f6678c-f6678f GlobalFree 4100->4106 4101->4100 4104 f667c6-f667cb 4102->4104 4105 f667bc-f667bf GlobalFree 4102->4105 4103->4102 4104->4073 4109 f667cd-f667ce GlobalFree 4104->4109 4105->4104 4106->4059 4109->4073
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 00F66590
                                                                                                                                                                                                                                          • GlobalFree.KERNEL32(?), ref: 00F665A1
                                                                                                                                                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 00F665B2
                                                                                                                                                                                                                                          • GlobalFree.KERNEL32(?), ref: 00F665E1
                                                                                                                                                                                                                                          • GlobalAlloc.KERNEL32(00000000,?), ref: 00F6660D
                                                                                                                                                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 00F66636
                                                                                                                                                                                                                                          • GlobalAlloc.KERNEL32(00000000,?), ref: 00F6666A
                                                                                                                                                                                                                                          • GlobalFree.KERNEL32(?), ref: 00F66696
                                                                                                                                                                                                                                          • GlobalFree.KERNEL32(?), ref: 00F666A7
                                                                                                                                                                                                                                          • GlobalFree.KERNEL32(?), ref: 00F666B9
                                                                                                                                                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 00F6677C
                                                                                                                                                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 00F6678D
                                                                                                                                                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 00F667BD
                                                                                                                                                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 00F667CE
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Global$Free$Alloc
                                                                                                                                                                                                                                          • String ID: Temp
                                                                                                                                                                                                                                          • API String ID: 1780285237-2875271924
                                                                                                                                                                                                                                          • Opcode ID: fcd4c48b842fa388f56e466d6085331757794e089527c8b7d888704400ccc8f1
                                                                                                                                                                                                                                          • Instruction ID: 4c980ee7856cb8c115938bbf38eb15d28cf7ef282ca0470f95be8f87f6458cce
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fcd4c48b842fa388f56e466d6085331757794e089527c8b7d888704400ccc8f1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 50713DB0E002199BDF109FA5DC84BAEF7B8AF04714F198159EC05EB245DB7AD944DFA0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F4E380 Relevance: 21.3, APIs: 5, Strings: 7, Instructions: 271COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F4E4A1
                                                                                                                                                                                                                                            • Part of subcall function 00F4DE80: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F4DF0C
                                                                                                                                                                                                                                          • __Mtx_unlock.LIBCPMT ref: 00F4E3DE
                                                                                                                                                                                                                                            • Part of subcall function 00F4E0D0: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F4E161
                                                                                                                                                                                                                                          • __Mtx_unlock.LIBCPMT ref: 00F4E4FB
                                                                                                                                                                                                                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F4E665
                                                                                                                                                                                                                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F4E6F8
                                                                                                                                                                                                                                            • Part of subcall function 00F39BB0: InitOnceBeginInitialize.KERNEL32(010280C4,00000000,4638DA1B,00000000,4638DA1B,00F3A219,010280CC,?,?,?,?,?,?,00F3A219,?,?), ref: 00F39BE5
                                                                                                                                                                                                                                            • Part of subcall function 00F39BB0: InitOnceComplete.KERNEL32(010280C4,00000000,00000000), ref: 00F39C1D
                                                                                                                                                                                                                                            • Part of subcall function 00F39940: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F39A12
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Ios_base_dtorstd::ios_base::_$InitMtx_unlockOnce$BeginCompleteInitialize
                                                                                                                                                                                                                                          • String ID: AdhocTelemetryAzure$Event string is empty$Querying AdhocTelemetryAzure value failed: $SOFTWARE\McAfee\WebAdvisor$]$`$`
                                                                                                                                                                                                                                          • API String ID: 1670716954-3162407775
                                                                                                                                                                                                                                          • Opcode ID: f88ac7ee1e910fb03e182d0b521d01614e919a7f19b0bc194fff7f5b0d01625d
                                                                                                                                                                                                                                          • Instruction ID: cbce5c66202c8b21be913dbf760860bea750e6bff7e82b6f0646a0e9c8312920
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f88ac7ee1e910fb03e182d0b521d01614e919a7f19b0bc194fff7f5b0d01625d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9C91B371D042189BDB14EF64DC41BEEB7B8FF55320F0045A9E905A7281EB785B48EBA1
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F44200 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 337COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • OpenProcess.KERNEL32(00000400,00000000,?,4638DA1B,?,?), ref: 00F44257
                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,00000001,?,?), ref: 00F442BC
                                                                                                                                                                                                                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F442F2
                                                                                                                                                                                                                                          • QueryFullProcessImageNameW.KERNEL32(00000000,00000000,00000000,?,00000104,00000000,?,?), ref: 00F44367
                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,?), ref: 00F44375
                                                                                                                                                                                                                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F4440A
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000,?), ref: 00F4455B
                                                                                                                                                                                                                                            • Part of subcall function 00F39BB0: InitOnceBeginInitialize.KERNEL32(010280C4,00000000,4638DA1B,00000000,4638DA1B,00F3A219,010280CC,?,?,?,?,?,?,00F3A219,?,?), ref: 00F39BE5
                                                                                                                                                                                                                                            • Part of subcall function 00F39BB0: InitOnceComplete.KERNEL32(010280C4,00000000,00000000), ref: 00F39C1D
                                                                                                                                                                                                                                            • Part of subcall function 00F39940: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F39A12
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • Filename for process with id , xrefs: 00F444B0
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Ios_base_dtorstd::ios_base::_$ErrorInitLastOnceProcess$BeginCloseCompleteFullHandleImageInitializeNameOpenQuery
                                                                                                                                                                                                                                          • String ID: Filename for process with id
                                                                                                                                                                                                                                          • API String ID: 563014942-4200337779
                                                                                                                                                                                                                                          • Opcode ID: 51b4f8a25e6d5550cdaaf00c0e98fbba5b7273a22d6ec20fd2e87d032322b5af
                                                                                                                                                                                                                                          • Instruction ID: 6d4363fa4540c260870ecdf76203e3766bc2234bb22f654a55e545ddab642c36
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 51b4f8a25e6d5550cdaaf00c0e98fbba5b7273a22d6ec20fd2e87d032322b5af
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AAD19E70D10259DBDB20DFA4DC85BEEBBB4FF44314F104659E809A7281EB786A48DB91
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00FD00DE Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00FCFE25: CreateFileW.KERNEL32(00000000,00000000,?,00FD0187,?,?,00000000,?,00FD0187,00000000,0000000C), ref: 00FCFE42
                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00FD01F2
                                                                                                                                                                                                                                          • __dosmaperr.LIBCMT ref: 00FD01F9
                                                                                                                                                                                                                                          • GetFileType.KERNEL32(00000000), ref: 00FD0205
                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00FD020F
                                                                                                                                                                                                                                          • __dosmaperr.LIBCMT ref: 00FD0218
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00FD0238
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00FD0385
                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00FD03B7
                                                                                                                                                                                                                                          • __dosmaperr.LIBCMT ref: 00FD03BE
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                                                                                                                                                                          • String ID: H
                                                                                                                                                                                                                                          • API String ID: 4237864984-2852464175
                                                                                                                                                                                                                                          • Opcode ID: 8476d5e5575d8a628c1c6e71029c81c3f01d854af2446d940fe332fae4078c0c
                                                                                                                                                                                                                                          • Instruction ID: 1b9aa6fcb5125188d5b4482a0fb60adeebe708969cc807e381f5b4c071ce7b78
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8476d5e5575d8a628c1c6e71029c81c3f01d854af2446d940fe332fae4078c0c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D4A109329041498FCF19DF68DC56BAD3BA2AB06324F28015EF811EF391DB399D12E751
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F55A23 Relevance: 17.8, APIs: 3, Strings: 7, Instructions: 265COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 00F56085
                                                                                                                                                                                                                                          • SysFreeString.OLEAUT32 ref: 00F5610F
                                                                                                                                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 00F5615A
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: FreeString$Concurrency::cancel_current_task
                                                                                                                                                                                                                                          • String ID: )$IsWow64Process$NO_REGKEY$UUID$UUID$kernel32$orm
                                                                                                                                                                                                                                          • API String ID: 2663709405-3766208032
                                                                                                                                                                                                                                          • Opcode ID: fc1d71324cd4a7e23f0b400a6fc97ffa69cf1c93109ad17f6ae929f8852a9d84
                                                                                                                                                                                                                                          • Instruction ID: defbf86bf1db31dda2328cb9e2bb98a4cc0dd79fc33dae18279126c01de93385
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fc1d71324cd4a7e23f0b400a6fc97ffa69cf1c93109ad17f6ae929f8852a9d84
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F8B103709007889FEF15CFB4C95879DBBB2AF41715F20464CE844AB3C2DBB99A88DB51
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F4CE00 Relevance: 16.3, APIs: 2, Strings: 7, Instructions: 545COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • __Mtx_init_in_situ.LIBCPMT ref: 00F4D1E6
                                                                                                                                                                                                                                            • Part of subcall function 00F3BBB0: std::locale::_Init.LIBCPMT ref: 00F3BBFC
                                                                                                                                                                                                                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F4D6C4
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: InitIos_base_dtorMtx_init_in_situstd::ios_base::_std::locale::_
                                                                                                                                                                                                                                          • String ID: .servicebus.windows.net/$/messages?timeout=60&api-version=2014-01$AWS m_url_aws = $Content-Type: application/atom+xml;type=entry;charset=utf-8$`$https://$u
                                                                                                                                                                                                                                          • API String ID: 655687434-311951724
                                                                                                                                                                                                                                          • Opcode ID: 682e5a5730071939d428c6b7734f70e4c3b4c56d9200d49ee6d588f37b697b30
                                                                                                                                                                                                                                          • Instruction ID: fc6f2134f347359e88d3a55782419f3763d757638535fd013788616fb893e14c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 682e5a5730071939d428c6b7734f70e4c3b4c56d9200d49ee6d588f37b697b30
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FF42AE709007458FEB25CF24DD45BA9BBB0BF45308F1086ADE94CAB692EB75A6C4CF50
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F43D80 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 188COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • WTSGetActiveConsoleSessionId.KERNEL32(0000003C,?), ref: 00F43E00
                                                                                                                                                                                                                                          • OutputDebugStringW.KERNEL32(WTSQuerySessionInformation failed to retrieve current user name for the log name.), ref: 00F43F9C
                                                                                                                                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 00F43FCA
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • WTSQuerySessionInformation failed to retrieve current user name for the log name., xrefs: 00F43F97
                                                                                                                                                                                                                                          • UNKNOWN, xrefs: 00F43DD2
                                                                                                                                                                                                                                          • WTSQuerySessionInformation failed to retrieve the size of the current user name for the log name., xrefs: 00F43F81
                                                                                                                                                                                                                                          • Error retrieving session id for generating log name., xrefs: 00F43E0B
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ActiveConcurrency::cancel_current_taskConsoleDebugOutputSessionString
                                                                                                                                                                                                                                          • String ID: Error retrieving session id for generating log name.$UNKNOWN$WTSQuerySessionInformation failed to retrieve current user name for the log name.$WTSQuerySessionInformation failed to retrieve the size of the current user name for the log name.
                                                                                                                                                                                                                                          • API String ID: 1186403813-1860316991
                                                                                                                                                                                                                                          • Opcode ID: e3b3f633c102c26f9741b432a291311ab80383f8ca29eecda3eb31094cb4db78
                                                                                                                                                                                                                                          • Instruction ID: 76af2341344040aab5f07d67d6b0db7d988c35aa56f2937bd3b99ae2c21c132b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e3b3f633c102c26f9741b432a291311ab80383f8ca29eecda3eb31094cb4db78
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4E51C4B1E00215DFDB189FB4DC8576EBBB4FF44320F200629E816D7691E7799A44EB90
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00FA9900 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,00F54AA5,00F54AA7,00000000,00000000,4638DA1B,?,00000000,?,00FABE00,0101BF08,000000FE,?,00F54AA5,?), ref: 00FA9989
                                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,00F54AA5,?,00000000,00000000,?,00FABE00,0101BF08,000000FE,?,00F54AA5), ref: 00FA9A04
                                                                                                                                                                                                                                          • SysAllocString.OLEAUT32(00000000), ref: 00FA9A0F
                                                                                                                                                                                                                                          • _com_issue_error.COMSUPP ref: 00FA9A38
                                                                                                                                                                                                                                          • _com_issue_error.COMSUPP ref: 00FA9A42
                                                                                                                                                                                                                                          • GetLastError.KERNEL32(80070057,4638DA1B,?,00000000,?,00FABE00,0101BF08,000000FE,?,00F54AA5,?), ref: 00FA9A47
                                                                                                                                                                                                                                          • _com_issue_error.COMSUPP ref: 00FA9A5A
                                                                                                                                                                                                                                          • GetLastError.KERNEL32(00000000,?,00000000,?,00FABE00,0101BF08,000000FE,?,00F54AA5,?), ref: 00FA9A70
                                                                                                                                                                                                                                          • _com_issue_error.COMSUPP ref: 00FA9A83
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1353541977-0
                                                                                                                                                                                                                                          • Opcode ID: a3201c43eba58c05f54752919bc967a2e3e24e12b3a612cc941b8f08b4378726
                                                                                                                                                                                                                                          • Instruction ID: f044c8fab30c44149a434ff728bd3be4e6655d65b3576b79cf12f3273740006d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a3201c43eba58c05f54752919bc967a2e3e24e12b3a612cc941b8f08b4378726
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0E41C8F1A04209AFD710DF65DC45BAFB7A8AF4A760F10463EF505E7251DB789800E7A4
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F39C50 Relevance: 12.6, APIs: 2, Strings: 5, Instructions: 313COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00F3E310: ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(D:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A;OICI;GRGWGX;;;AU)(A;OICI;GA;;;BA),00000001,00000000,00000000), ref: 00F3E36C
                                                                                                                                                                                                                                          • __Mtx_init_in_situ.LIBCPMT ref: 00F39DD4
                                                                                                                                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 00F3A06D
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: DescriptorSecurity$Concurrency::cancel_current_taskConvertMtx_init_in_situString
                                                                                                                                                                                                                                          • String ID: LogLevel$LogRotationCount$LogRotationFileSize$SOFTWARE\McAfee\WebAdvisor$log
                                                                                                                                                                                                                                          • API String ID: 239504998-2017128786
                                                                                                                                                                                                                                          • Opcode ID: 3ac87f01667b6ef4928f4e38849124d8493fdeabac57c14ae8d460f3ad9a17cf
                                                                                                                                                                                                                                          • Instruction ID: 734b412748539ca338a34e257374d7621abeaeb6e9d9332de8c87697fa7cb17f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3ac87f01667b6ef4928f4e38849124d8493fdeabac57c14ae8d460f3ad9a17cf
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 45C1BFB1D01249DFDB04DFA4C945BEDBBF0FF48314F204119E415A7291EBB9AA88DB91
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F4E0D0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 171COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F4E161
                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,00000001), ref: 00F4E278
                                                                                                                                                                                                                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F4E351
                                                                                                                                                                                                                                            • Part of subcall function 00F39BB0: InitOnceBeginInitialize.KERNEL32(010280C4,00000000,4638DA1B,00000000,4638DA1B,00F3A219,010280CC,?,?,?,?,?,?,00F3A219,?,?), ref: 00F39BE5
                                                                                                                                                                                                                                            • Part of subcall function 00F39BB0: InitOnceComplete.KERNEL32(010280C4,00000000,00000000), ref: 00F39C1D
                                                                                                                                                                                                                                            • Part of subcall function 00F39940: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F39A12
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • Event Sender already initialized for AWS, xrefs: 00F4E137
                                                                                                                                                                                                                                          • `, xrefs: 00F4E30E
                                                                                                                                                                                                                                          • WinHttpCrackUrl failed for AWS: , xrefs: 00F4E268
                                                                                                                                                                                                                                          • Unable to open HTTP session for AWS, xrefs: 00F4E327
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Ios_base_dtorstd::ios_base::_$InitOnce$BeginCompleteErrorInitializeLast
                                                                                                                                                                                                                                          • String ID: Event Sender already initialized for AWS$Unable to open HTTP session for AWS$WinHttpCrackUrl failed for AWS: $`
                                                                                                                                                                                                                                          • API String ID: 2211357200-2761544906
                                                                                                                                                                                                                                          • Opcode ID: 3e67ea586be11bc090674634c5cd0f111e48c4695c0327bcc4537dfeb6405470
                                                                                                                                                                                                                                          • Instruction ID: f0efb50f5717cc2c5fa1cc6f71527fc687e2fc263b25c63bd2fc18b0d892b34e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3e67ea586be11bc090674634c5cd0f111e48c4695c0327bcc4537dfeb6405470
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D3619F709007099BDB24DFA0DC45BEEB7B9FF44315F00096DE919A7280EBB46A48DFA1
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F46D24 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 166COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • __Mtx_init_in_situ.LIBCPMT ref: 00F46D7B
                                                                                                                                                                                                                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F46F75
                                                                                                                                                                                                                                          • __Mtx_unlock.LIBCPMT ref: 00F46F88
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Ios_base_dtorMtx_init_in_situMtx_unlockstd::ios_base::_
                                                                                                                                                                                                                                          • String ID: event sender$=$Failed to initialize $async
                                                                                                                                                                                                                                          • API String ID: 3676452600-816272291
                                                                                                                                                                                                                                          • Opcode ID: 23e25fd4d5c3e11cbc65b3e37d96cc49a859cd6270b16f534c4840c485cf0fa9
                                                                                                                                                                                                                                          • Instruction ID: d070887107f3aede1cb39ded830cc33481d7f75d7ef1a86626b1b4023e9c1d7f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 23e25fd4d5c3e11cbc65b3e37d96cc49a859cd6270b16f534c4840c485cf0fa9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C961A070904305CFEF05DF60C855BAEBBB5BF45310F504199D805AB382EBB89A48EB92
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F4DE80 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 147COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F4DF0C
                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,00000001), ref: 00F4DFD7
                                                                                                                                                                                                                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F4E0A2
                                                                                                                                                                                                                                            • Part of subcall function 00F39BB0: InitOnceBeginInitialize.KERNEL32(010280C4,00000000,4638DA1B,00000000,4638DA1B,00F3A219,010280CC,?,?,?,?,?,?,00F3A219,?,?), ref: 00F39BE5
                                                                                                                                                                                                                                            • Part of subcall function 00F39BB0: InitOnceComplete.KERNEL32(010280C4,00000000,00000000), ref: 00F39C1D
                                                                                                                                                                                                                                            • Part of subcall function 00F39940: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F39A12
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • `, xrefs: 00F4E05F
                                                                                                                                                                                                                                          • WinHttpCrackUrl failed for Azure: , xrefs: 00F4DFC7
                                                                                                                                                                                                                                          • Unable to open HTTP session for Azure, xrefs: 00F4E078
                                                                                                                                                                                                                                          • Event Sender already initialized for Azure, xrefs: 00F4DEE2
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Ios_base_dtorstd::ios_base::_$InitOnce$BeginCompleteErrorInitializeLast
                                                                                                                                                                                                                                          • String ID: Event Sender already initialized for Azure$Unable to open HTTP session for Azure$WinHttpCrackUrl failed for Azure: $`
                                                                                                                                                                                                                                          • API String ID: 2211357200-2974208456
                                                                                                                                                                                                                                          • Opcode ID: 686e170b51e03687bcc86755fba78141016e8a632b85edc9bc7a721121023987
                                                                                                                                                                                                                                          • Instruction ID: dfcea09cb0cbf2384777ddbe48933e7fda7f875b19684cb00f946acc1566c7e2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 686e170b51e03687bcc86755fba78141016e8a632b85edc9bc7a721121023987
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2F517F709043589FDB25DF60CC55BEEB7B8FF44314F00499DE84AA7290EBB8AA48DB51
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F4928D Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 130COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00F48FB0: CoCreateGuid.OLE32(?), ref: 00F48FC8
                                                                                                                                                                                                                                            • Part of subcall function 00F48FB0: StringFromCLSID.OLE32(?,?), ref: 00F48FE0
                                                                                                                                                                                                                                            • Part of subcall function 00F48FB0: CoTaskMemFree.OLE32(?), ref: 00F49138
                                                                                                                                                                                                                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F493D1
                                                                                                                                                                                                                                            • Part of subcall function 00F39BB0: InitOnceBeginInitialize.KERNEL32(010280C4,00000000,4638DA1B,00000000,4638DA1B,00F3A219,010280CC,?,?,?,?,?,?,00F3A219,?,?), ref: 00F39BE5
                                                                                                                                                                                                                                            • Part of subcall function 00F39BB0: InitOnceComplete.KERNEL32(010280C4,00000000,00000000), ref: 00F39C1D
                                                                                                                                                                                                                                            • Part of subcall function 00F39940: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F39A12
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: InitIos_base_dtorOncestd::ios_base::_$BeginCompleteCreateFreeFromGuidInitializeStringTask
                                                                                                                                                                                                                                          • String ID: Could not set registry value $Could not set registry value InstallerFlags$Failed to create new UUID$InstallerFlags$UUID$]
                                                                                                                                                                                                                                          • API String ID: 598746661-2174109026
                                                                                                                                                                                                                                          • Opcode ID: beafe8f3fe8a975cb7a5e7fe56cb4c63eff51649d7ef3511f3c18961b5eb378a
                                                                                                                                                                                                                                          • Instruction ID: 4f4e99e9db279f18788152210d88c3478ad24f63400f8c9ecc626cbc9146c394
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: beafe8f3fe8a975cb7a5e7fe56cb4c63eff51649d7ef3511f3c18961b5eb378a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CC51AF30A04208DAEF14EF60DC56BEEB764FF51320F508159EC4557281EBB8AB48EBA1
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F45790 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 80libraryloaderCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,NotComDllGetInterface), ref: 00F45808
                                                                                                                                                                                                                                          • FreeLibrary.KERNEL32(?), ref: 00F45828
                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00F45830
                                                                                                                                                                                                                                          • FreeLibrary.KERNEL32(?), ref: 00F45839
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: FreeLibrary$AddressErrorLastProc
                                                                                                                                                                                                                                          • String ID: NotComDllGetInterface$mfeaaca.dll
                                                                                                                                                                                                                                          • API String ID: 1092183831-2777911605
                                                                                                                                                                                                                                          • Opcode ID: d7556c744e88c6534eb22510c0d2eeb8c740c8f3a5a681af8e1afb4991a658ec
                                                                                                                                                                                                                                          • Instruction ID: f60711f1f674d7ba9c519777374040f277d3b28542500fb784287878e6f0b7ad
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d7556c744e88c6534eb22510c0d2eeb8c740c8f3a5a681af8e1afb4991a658ec
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8B21B632D0061D9BEB11AFA8EC8466EBFB4FF55760F440269ED05E7241EB708D00ABD1
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F34D63 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 55synchronizationCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00F34C8E: GetCurrentProcessId.KERNEL32 ref: 00F34CA6
                                                                                                                                                                                                                                            • Part of subcall function 00F34C8E: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00F34CB8
                                                                                                                                                                                                                                            • Part of subcall function 00F34C8E: Process32FirstW.KERNEL32(00000000,?), ref: 00F34CD3
                                                                                                                                                                                                                                            • Part of subcall function 00F34C8E: Process32NextW.KERNEL32(00000000,0000022C), ref: 00F34CE9
                                                                                                                                                                                                                                            • Part of subcall function 00F34C8E: FindCloseChangeNotification.KERNEL32(00000000), ref: 00F34CFA
                                                                                                                                                                                                                                          • CreateMutexW.KERNEL32(00000000,00000000,Global\{48ca68e-e4ff-43ac-a993-6d162f33de7c}), ref: 00F34D88
                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00F34DD0
                                                                                                                                                                                                                                            • Part of subcall function 00F3136C: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F313A5
                                                                                                                                                                                                                                          • WaitForSingleObject.KERNEL32(00000000,0000EA60), ref: 00F34DFC
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32 ref: 00F34E0D
                                                                                                                                                                                                                                            • Part of subcall function 00F39BB0: InitOnceBeginInitialize.KERNEL32(010280C4,00000000,4638DA1B,00000000,4638DA1B,00F3A219,010280CC,?,?,?,?,?,?,00F3A219,?,?), ref: 00F39BE5
                                                                                                                                                                                                                                            • Part of subcall function 00F39BB0: InitOnceComplete.KERNEL32(010280C4,00000000,00000000), ref: 00F39C1D
                                                                                                                                                                                                                                            • Part of subcall function 00F39940: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F39A12
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • SaBsi.cpp, xrefs: 00F34DA9
                                                                                                                                                                                                                                          • Global\{48ca68e-e4ff-43ac-a993-6d162f33de7c}, xrefs: 00F34D7F
                                                                                                                                                                                                                                          • CreateMutex failed: , xrefs: 00F34DC2
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CloseCreateInitIos_base_dtorOnceProcess32std::ios_base::_$BeginChangeCompleteCurrentErrorFindFirstHandleInitializeLastMutexNextNotificationObjectProcessSingleSnapshotToolhelp32Wait
                                                                                                                                                                                                                                          • String ID: CreateMutex failed: $Global\{48ca68e-e4ff-43ac-a993-6d162f33de7c}$SaBsi.cpp
                                                                                                                                                                                                                                          • API String ID: 2189495138-1117126455
                                                                                                                                                                                                                                          • Opcode ID: 73e9e1e7d26244a48a436e3d285988be04c453eccad45ea5147ee807bb759692
                                                                                                                                                                                                                                          • Instruction ID: 3ba7a2004b7db59aa5b5b4d26679c8be4ec39292b10dac9e38b3f961ff5c645e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 73e9e1e7d26244a48a436e3d285988be04c453eccad45ea5147ee807bb759692
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 751191312183429BD720EF20EC45B6AB7A4BF50720F004D1CB895871D1EBB8B588EA62
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F4EEC0 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 323COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00F4CCB0: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F4CDBB
                                                                                                                                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 00F4F0FC
                                                                                                                                                                                                                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F4F268
                                                                                                                                                                                                                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F4F307
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • Querying AdhocTelemetryAWS value failed: , xrefs: 00F4F217
                                                                                                                                                                                                                                          • SOFTWARE\McAfee\WebAdvisor, xrefs: 00F4F181
                                                                                                                                                                                                                                          • AdhocTelemetryAWS, xrefs: 00F4F1B6
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Ios_base_dtorstd::ios_base::_$Concurrency::cancel_current_task
                                                                                                                                                                                                                                          • String ID: AdhocTelemetryAWS$Querying AdhocTelemetryAWS value failed: $SOFTWARE\McAfee\WebAdvisor
                                                                                                                                                                                                                                          • API String ID: 1722207485-3297656441
                                                                                                                                                                                                                                          • Opcode ID: 4dfc0424db75fc0a227ab395d0ce6a9452692a98cb76598c8969650b573c98d1
                                                                                                                                                                                                                                          • Instruction ID: d1692149c9ab36f47ee1903ce5c654566213596b5ad3ad37fbc253c4a0bf2c79
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4dfc0424db75fc0a227ab395d0ce6a9452692a98cb76598c8969650b573c98d1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1BC1E2B1D042189FDB14DF68CC45BEEBBB4FF45320F1042A9E819A7282EB745E49DB91
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F4CCB0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 85COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00F39BB0: InitOnceBeginInitialize.KERNEL32(010280C4,00000000,4638DA1B,00000000,4638DA1B,00F3A219,010280CC,?,?,?,?,?,?,00F3A219,?,?), ref: 00F39BE5
                                                                                                                                                                                                                                            • Part of subcall function 00F39BB0: InitOnceComplete.KERNEL32(010280C4,00000000,00000000), ref: 00F39C1D
                                                                                                                                                                                                                                            • Part of subcall function 00F39940: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F39A12
                                                                                                                                                                                                                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F4CDBB
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: InitIos_base_dtorOncestd::ios_base::_$BeginCompleteInitialize
                                                                                                                                                                                                                                          • String ID: 5$AdhocAWSQAMode$Querying AdhocAWSQAMode value failed: $SOFTWARE\McAfee\WebAdvisor$`
                                                                                                                                                                                                                                          • API String ID: 539357862-2884122493
                                                                                                                                                                                                                                          • Opcode ID: 6403f667dbde149e1c4e7edd71c52df947190b7c755210becb732e58748bb128
                                                                                                                                                                                                                                          • Instruction ID: 037898f00fecd12d08759a31f2ddb04587cac96fd1a7cb483345d694767c7f78
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6403f667dbde149e1c4e7edd71c52df947190b7c755210becb732e58748bb128
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E9318171D1420D9ADF14EFA0CC52BEDBBB8FF08310F504569E916B3281EB785A48DBA1
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F35A4F Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 81COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00F35A59
                                                                                                                                                                                                                                            • Part of subcall function 00F35C1E: CoCreateInstance.OLE32(00FFD808,00000000,00000017,0100B024,00000000,4638DA1B,?,?,?,00000000,00000000,00000000,00FD8687,000000FF), ref: 00F35C7A
                                                                                                                                                                                                                                            • Part of subcall function 00F35C1E: OleRun.OLE32(00000000), ref: 00F35C89
                                                                                                                                                                                                                                            • Part of subcall function 00F39BB0: InitOnceBeginInitialize.KERNEL32(010280C4,00000000,4638DA1B,00000000,4638DA1B,00F3A219,010280CC,?,?,?,?,?,?,00F3A219,?,?), ref: 00F39BE5
                                                                                                                                                                                                                                            • Part of subcall function 00F39BB0: InitOnceComplete.KERNEL32(010280C4,00000000,00000000), ref: 00F39C1D
                                                                                                                                                                                                                                            • Part of subcall function 00F39940: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F39A12
                                                                                                                                                                                                                                          • _com_issue_error.COMSUPP ref: 00F35B97
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • i, xrefs: 00F35B5D
                                                                                                                                                                                                                                          • Failed to create Global Options object. Error , xrefs: 00F35AA9
                                                                                                                                                                                                                                          • Failed to set new option. Error , xrefs: 00F35B26
                                                                                                                                                                                                                                          • Activation option is set successfuly, xrefs: 00F35B69
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: InitOnce$BeginCompleteCreateH_prolog3_InitializeInstanceIos_base_dtor_com_issue_errorstd::ios_base::_
                                                                                                                                                                                                                                          • String ID: Activation option is set successfuly$Failed to create Global Options object. Error $Failed to set new option. Error $i
                                                                                                                                                                                                                                          • API String ID: 1362393928-3233122435
                                                                                                                                                                                                                                          • Opcode ID: 3fdf7f5ff55488139872516064306e087de5ac3ddc1ac8ec5225d9c667bf9f07
                                                                                                                                                                                                                                          • Instruction ID: 51ab74c034bea10978cf0eba1bbfd2dca9b0a8d65d77f2cc6852bc560c20107f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3fdf7f5ff55488139872516064306e087de5ac3ddc1ac8ec5225d9c667bf9f07
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7E317C70E15219CBEF05EBA0CC52BEEB374BF90720F404598E401A72C1EBB85A05EFA1
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F54B40 Relevance: 9.3, APIs: 2, Strings: 3, Instructions: 562COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 00F55182
                                                                                                                                                                                                                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F5521E
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Concurrency::cancel_current_taskIos_base_dtorstd::ios_base::_
                                                                                                                                                                                                                                          • String ID: 8$Invalid arguements passed to AddDimension$N
                                                                                                                                                                                                                                          • API String ID: 4106036149-2360809898
                                                                                                                                                                                                                                          • Opcode ID: 9f917103ddac68652dedb809214d95948277d9caac054d0238686233eb1c13b2
                                                                                                                                                                                                                                          • Instruction ID: 5b869ae41c6836642c09ce77a812ae6eb194aa1e584d938038dd28b0be986357
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9f917103ddac68652dedb809214d95948277d9caac054d0238686233eb1c13b2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0E32F070D003489FDB24CF64C844BAEBBF1FF45314F148299E959AB292D779A989DF80
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00FB22D9 Relevance: 9.3, APIs: 6, Instructions: 264COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • __allrem.LIBCMT ref: 00FB2461
                                                                                                                                                                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FB247D
                                                                                                                                                                                                                                          • __allrem.LIBCMT ref: 00FB2494
                                                                                                                                                                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FB24B2
                                                                                                                                                                                                                                          • __allrem.LIBCMT ref: 00FB24C9
                                                                                                                                                                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FB24E7
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1992179935-0
                                                                                                                                                                                                                                          • Opcode ID: f87d5442f0ebf9ebcbd6879315b9098c2ef1ccdfcdcf202bff3e40a4258d3857
                                                                                                                                                                                                                                          • Instruction ID: cbf6154b1bf44dbbd37b515f1902438b41f9efb2efeb68f7585b72cf57959ae6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f87d5442f0ebf9ebcbd6879315b9098c2ef1ccdfcdcf202bff3e40a4258d3857
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6F811CB2A00702DBE724EE2ACC82B9A73E5AF45770F18852EF415D76C1E778D901AF50
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F407C0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • __Mtx_destroy_in_situ.LIBCPMT ref: 00F4085F
                                                                                                                                                                                                                                          • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(D:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A;OICI;GRGWGX;;;AU)(A;OICI;GA;;;BA),00000001,?,00000000), ref: 00F40903
                                                                                                                                                                                                                                          • LocalFree.KERNEL32(?,?), ref: 00F40A26
                                                                                                                                                                                                                                          • __Mtx_unlock.LIBCPMT ref: 00F41020
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • D:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A;OICI;GRGWGX;;;AU)(A;OICI;GA;;;BA), xrefs: 00F408FE
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: DescriptorSecurity$ConvertFreeLocalMtx_destroy_in_situMtx_unlockString
                                                                                                                                                                                                                                          • String ID: D:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A;OICI;GRGWGX;;;AU)(A;OICI;GA;;;BA)
                                                                                                                                                                                                                                          • API String ID: 4147401711-3078421892
                                                                                                                                                                                                                                          • Opcode ID: 46f54b633378e07de1a8a17fcb266796fbeabec4e0cb8dfd3fb63f1d6b83cd52
                                                                                                                                                                                                                                          • Instruction ID: 8f3fd63e0a4cad39e2c406b424bad591e382e6d0fe0f7eb3be7743ecdd643bcd
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 46f54b633378e07de1a8a17fcb266796fbeabec4e0cb8dfd3fb63f1d6b83cd52
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C2612371D003548BDB14CF68CC85BEEBBB5AF44314F0441ADE94997791DB78AA84DB90
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F6E580 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 131COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • Unable to convert XML buffer into wide characters, xrefs: 00F6E6BC
                                                                                                                                                                                                                                          • c:\jenkins\workspace\mer_WebAdvisor_XMLUpdater_master\src\XmlUpdater\XMLParser.cpp, xrefs: 00F6E5AF, 00F6E6C8
                                                                                                                                                                                                                                          • invalid input, xrefs: 00F6E5A3
                                                                                                                                                                                                                                          • NWebAdvisor::XMLParser::ParseBuffer, xrefs: 00F6E5AA, 00F6E6C3
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: __cftoe
                                                                                                                                                                                                                                          • String ID: NWebAdvisor::XMLParser::ParseBuffer$Unable to convert XML buffer into wide characters$c:\jenkins\workspace\mer_WebAdvisor_XMLUpdater_master\src\XmlUpdater\XMLParser.cpp$invalid input
                                                                                                                                                                                                                                          • API String ID: 4189289331-3914853187
                                                                                                                                                                                                                                          • Opcode ID: 19a511c3c0e8497daf3224579791ca16e7207e2ccf3e806e9b897570aeb69592
                                                                                                                                                                                                                                          • Instruction ID: 7328c23ce860c9203e2b020849b278a3d5cc4d071c1808fc6d781dd167f9d016
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 19a511c3c0e8497daf3224579791ca16e7207e2ccf3e806e9b897570aeb69592
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A941F4B6A01305ABCB24DF64DC42BAFF7E4BF18710F40452DF94A97281DBB9E904A791
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F37F60 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • __Xtime_get_ticks.LIBCPMT ref: 00F37FAA
                                                                                                                                                                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F37FBC
                                                                                                                                                                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F37FD0
                                                                                                                                                                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F37FE2
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$Xtime_get_ticks
                                                                                                                                                                                                                                          • String ID: [%Y%m%d %H:%M:%S.
                                                                                                                                                                                                                                          • API String ID: 3638035285-2843400524
                                                                                                                                                                                                                                          • Opcode ID: fff0e09a4799faddc6eaa24c153d09a1209dccaa8fe4852b919ed87b3e156a82
                                                                                                                                                                                                                                          • Instruction ID: 443d4d25c08cd56a4b3bd92120f1821006d728b1fb4f8ee242b20d71f23f89d7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fff0e09a4799faddc6eaa24c153d09a1209dccaa8fe4852b919ed87b3e156a82
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B4319371E003149FDB11EFA4CC42FAEB7F9EB44B50F14452AF504AB381EB7869059794
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00FD4DB0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 352COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: %s%s$%s\%s$\\?\
                                                                                                                                                                                                                                          • API String ID: 0-2843747179
                                                                                                                                                                                                                                          • Opcode ID: 9a47364f59f78e00bb625e218d1623e9de53500830cb020052a1802f4617cf9b
                                                                                                                                                                                                                                          • Instruction ID: ae74496c70d47faf99df3f8ef103c7d4b23a12c7db2279f7cc54cc3fe5557bfe
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9a47364f59f78e00bb625e218d1623e9de53500830cb020052a1802f4617cf9b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CED1B372D00218DFCF10DFE4CC85AEEB7B9EF05320F58052AE915A7251E735AA45EBA1
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F739A0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 133registryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • RegOpenKeyExW.KERNEL32(80000002,SOFTWARE\WATesting,00000000,00000001,?,4638DA1B,00000000,00000001), ref: 00F739FC
                                                                                                                                                                                                                                            • Part of subcall function 00F72820: RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00000000,4638DA1B,00000000,00000001,?), ref: 00F728AC
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: InfoOpenQuery
                                                                                                                                                                                                                                          • String ID: SOFTWARE\WATesting$path
                                                                                                                                                                                                                                          • API String ID: 165108877-1550987622
                                                                                                                                                                                                                                          • Opcode ID: c1ae8416fafb957c737819b2eebe5ec51a504640e787f08739aa7729d5759cd6
                                                                                                                                                                                                                                          • Instruction ID: c8f8bb72e2662e10f48fe03a59da9212dea7f83106c4fd268f1cded26c2df8c3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c1ae8416fafb957c737819b2eebe5ec51a504640e787f08739aa7729d5759cd6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 60518071D0025CEBDB20DBA4DD45BDEBBB8EF08714F00419AE509B7281DB78AB88DB51
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F6FBE0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 80COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetFileAttributesW.KERNEL32(?,0100BFD0,00000000,0100BFD0,00000000,?,0000001C,00000001,00000000,0000001C,?,?,00000014,0100BFD0,00000000,4638DA1B), ref: 00F6FC1D
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • c:\jenkins\workspace\mer_WebAdvisor_XMLUpdater_master\src\XmlUpdater\HttpsDownloadFile.cpp, xrefs: 00F6FC9E
                                                                                                                                                                                                                                          • NWebAdvisor::NHttp::NDownloadFile::StoreOnDisk, xrefs: 00F6FC99
                                                                                                                                                                                                                                          • Destination directory does not exist, xrefs: 00F6FC8F
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AttributesFile
                                                                                                                                                                                                                                          • String ID: Destination directory does not exist$NWebAdvisor::NHttp::NDownloadFile::StoreOnDisk$c:\jenkins\workspace\mer_WebAdvisor_XMLUpdater_master\src\XmlUpdater\HttpsDownloadFile.cpp
                                                                                                                                                                                                                                          • API String ID: 3188754299-3555079292
                                                                                                                                                                                                                                          • Opcode ID: def7b3f04b77230d4cd4a49d7364127042aed7906c0635a28c76ebcc830cfec5
                                                                                                                                                                                                                                          • Instruction ID: ce1b90d6430c1ed1dab83775c70c7290045408f09a3b2071796edd0e33167428
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: def7b3f04b77230d4cd4a49d7364127042aed7906c0635a28c76ebcc830cfec5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D6216D75E0020C9BCF00DFA8D842AEEBBF5AF08710F00426AFC15A7280DB74AA45DB90
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F3DC20 Relevance: 5.8, APIs: 2, Strings: 1, Instructions: 553COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • D:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A;OICI;GRGWGX;;;AU)(A;OICI;GA;;;BA), xrefs: 00F3E367
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: D:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A;OICI;GRGWGX;;;AU)(A;OICI;GA;;;BA)
                                                                                                                                                                                                                                          • API String ID: 0-3078421892
                                                                                                                                                                                                                                          • Opcode ID: 500671ae4d5104b03133bff47e9c211e9a4f092fd2a81c5b655c68393fba4433
                                                                                                                                                                                                                                          • Instruction ID: f53555597774d60c7c9d953674799ecf44fa651d7cdc65417785ca764a5e1551
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 500671ae4d5104b03133bff47e9c211e9a4f092fd2a81c5b655c68393fba4433
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DF220571D002089BDB14DF64DC89BEEBBB5FF49324F10869DE409A7791DB74AA84CB90
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F68650 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 337COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • std::locale::_Init.LIBCPMT ref: 00F6882F
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • Failed to create log message string. Error 0x, xrefs: 00F689CF
                                                                                                                                                                                                                                          • c:\jenkins\workspace\mer_WebAdvisor_XMLUpdater_master\src\XmlUpdater\XmlUpdaterLogger.cpp, xrefs: 00F68AF6
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Initstd::locale::_
                                                                                                                                                                                                                                          • String ID: Failed to create log message string. Error 0x$c:\jenkins\workspace\mer_WebAdvisor_XMLUpdater_master\src\XmlUpdater\XmlUpdaterLogger.cpp
                                                                                                                                                                                                                                          • API String ID: 1620887387-1553574442
                                                                                                                                                                                                                                          • Opcode ID: 15b0aa2d884f6c9b099c67ea25c9fe7e6db041e50833efaa3f9b1fac95755e38
                                                                                                                                                                                                                                          • Instruction ID: dc281fff1bb9208469d3ea66346904cdf21d6f14c9d81d96bcbc569817609d7e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 15b0aa2d884f6c9b099c67ea25c9fe7e6db041e50833efaa3f9b1fac95755e38
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C9E16D71E00259DFDF24CF68C845BADB7B1BF49304F10829DE909A7281DB75AA85DF50
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F3E310 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 206COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(D:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A;OICI;GRGWGX;;;AU)(A;OICI;GA;;;BA),00000001,00000000,00000000), ref: 00F3E36C
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • D:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A;OICI;GRGWGX;;;AU)(A;OICI;GA;;;BA), xrefs: 00F3E367
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: DescriptorSecurity$ConvertString
                                                                                                                                                                                                                                          • String ID: D:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A;OICI;GRGWGX;;;AU)(A;OICI;GA;;;BA)
                                                                                                                                                                                                                                          • API String ID: 3907675253-3078421892
                                                                                                                                                                                                                                          • Opcode ID: 992a7012b244a90cdcab0d21696de0e1b76d8436a55f213565f0748881a79460
                                                                                                                                                                                                                                          • Instruction ID: 3098975a197e86c019ddb148e2b160fe176aa2fd6540212188f82e81437ec6e2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 992a7012b244a90cdcab0d21696de0e1b76d8436a55f213565f0748881a79460
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4D81DF70A012599BDF24DF24DC8DB9DB7B2EF85318F1042D9E008A7291EB79AB84DF50
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F5CC20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00F39BB0: InitOnceBeginInitialize.KERNEL32(010280C4,00000000,4638DA1B,00000000,4638DA1B,00F3A219,010280CC,?,?,?,?,?,?,00F3A219,?,?), ref: 00F39BE5
                                                                                                                                                                                                                                            • Part of subcall function 00F39BB0: InitOnceComplete.KERNEL32(010280C4,00000000,00000000), ref: 00F39C1D
                                                                                                                                                                                                                                            • Part of subcall function 00F39940: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F39A12
                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,00000001), ref: 00F5CCBB
                                                                                                                                                                                                                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F5CCEC
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • Unable to set proxy option, error: , xrefs: 00F5CCAB
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: InitIos_base_dtorOncestd::ios_base::_$BeginCompleteErrorInitializeLast
                                                                                                                                                                                                                                          • String ID: Unable to set proxy option, error:
                                                                                                                                                                                                                                          • API String ID: 879576418-14943890
                                                                                                                                                                                                                                          • Opcode ID: 0bbae7b03602ed3759aca0ab3a781d9cbb6177cfc18b2bc7ea295ba19ee00f84
                                                                                                                                                                                                                                          • Instruction ID: 097302dcff69af5ae497733d28fcae11e8e0b38600c47d1a56322634e11f0979
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0bbae7b03602ed3759aca0ab3a781d9cbb6177cfc18b2bc7ea295ba19ee00f84
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3F31A271A04359DFEB24EF60DC05BEEB7B9FB04720F00856DE815A3280EB795A08DB91
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00FC5FD8 Relevance: 4.7, APIs: 3, Instructions: 177fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00FC576D: GetConsoleCP.KERNEL32(?,00F6860A,00000000), ref: 00FC57B5
                                                                                                                                                                                                                                          • WriteFile.KERNEL32(?,00000000,0101C218,4638DA1B,00000000,4638DA1B,00F6860A,00F6860A,00F6860A,4638DA1B,00000000,?,00FB591E,00000000,0101C218,00000010), ref: 00FC6129
                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,00FB591E,00000000,0101C218,00000010,00F6860A), ref: 00FC6133
                                                                                                                                                                                                                                          • __dosmaperr.LIBCMT ref: 00FC6178
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ConsoleErrorFileLastWrite__dosmaperr
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 251514795-0
                                                                                                                                                                                                                                          • Opcode ID: ca6f19deac1ec55957d7ca3c29600184fede6aa9f502b315bba46446a653cc61
                                                                                                                                                                                                                                          • Instruction ID: 104cc5602356d540e2a96feae0570c196afa5f2666fd96a1e0cc6350858b3367
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ca6f19deac1ec55957d7ca3c29600184fede6aa9f502b315bba46446a653cc61
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9351C2B1E0820BAFDB10DFA4CE86FEE7BB9AF49714F180059E401F7152D6359D41A760
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F3E640 Relevance: 4.6, APIs: 3, Instructions: 120COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetFileAttributesW.KERNEL32(00000000,4638DA1B,0000005C,?,?,?,?,00000000,00FD952D,000000FF,?,00F3E09D), ref: 00F3E681
                                                                                                                                                                                                                                          • CreateDirectoryW.KERNEL32(00000000,?,?,?,?,?,00000000,00FD952D,000000FF,?,00F3E09D), ref: 00F3E738
                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,00000000,00FD952D,000000FF,?,00F3E09D), ref: 00F3E742
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AttributesCreateDirectoryErrorFileLast
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 674977465-0
                                                                                                                                                                                                                                          • Opcode ID: fd16ae779ea78583935d46c4d03dd52360b0ed6862e0561f44eb75c7f43fe4f3
                                                                                                                                                                                                                                          • Instruction ID: c4f71957bf823b2a094a099a10a65a703f6276c5d82cb499f3d6985509a6b832
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fd16ae779ea78583935d46c4d03dd52360b0ed6862e0561f44eb75c7f43fe4f3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 50310571A002049BCB24CF68EC85BAEF7B4FF49724F14462DE815937C0D735A904DB90
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F91F70 Relevance: 4.6, APIs: 3, Instructions: 104encryptionCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • CertGetCertificateChain.CRYPT32(00000000,?,?,?), ref: 00F9206C
                                                                                                                                                                                                                                          • CertVerifyCertificateChainPolicy.CRYPT32(00000003,?,?,?), ref: 00F920A4
                                                                                                                                                                                                                                          • CertFreeCertificateChain.CRYPT32(?), ref: 00F920D0
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CertCertificateChain$FreePolicyVerify
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1741975133-0
                                                                                                                                                                                                                                          • Opcode ID: e7f44519c71db52a0693dfce59391a867daf53fc308dc1ea2f70ab2104668ec7
                                                                                                                                                                                                                                          • Instruction ID: 877d5d8371f0cf2ed7db52ac5f9e13fd3ee48167fb838df633ecac04b827e6a2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e7f44519c71db52a0693dfce59391a867daf53fc308dc1ea2f70ab2104668ec7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F3419FB15083859BEB20CF54C884BABBBE8FF89744F04091DF58897250E77AD548DB62
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00FCA690 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetEnvironmentStringsW.KERNEL32 ref: 00FCA699
                                                                                                                                                                                                                                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00FCA707
                                                                                                                                                                                                                                            • Part of subcall function 00FC98FF: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,00000000,?,00FC7B21,?,00000000,00000000), ref: 00FC99A1
                                                                                                                                                                                                                                            • Part of subcall function 00FC2174: RtlAllocateHeap.NTDLL(00000000,?,?,?,00FA872D,?,?,00F3A1ED,0000002C,4638DA1B), ref: 00FC21A6
                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00FCA6F8
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: EnvironmentStrings$AllocateByteCharFreeHeapMultiWide_free
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2560199156-0
                                                                                                                                                                                                                                          • Opcode ID: c935b642970e65007ad2c5c319ab6354679556729de726d3c4e671bdcac82825
                                                                                                                                                                                                                                          • Instruction ID: 6df1a914a29f614f1cded9e4a1cae3efe8d5c7ce6066dee8b4e4b97c3fb7895a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c935b642970e65007ad2c5c319ab6354679556729de726d3c4e671bdcac82825
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0801D87390165F7B272115BA1ECBF7B796CEEC6BA8318012CF900D6141E9649C01B1B2
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00FC6B6C Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • FindCloseChangeNotification.KERNEL32(00000000,00000000,00F6860A,?,00FC6A9A,00F6860A,0101C5B8,0000000C,00FC6B4C,0101C218), ref: 00FC6BC2
                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,00FC6A9A,00F6860A,0101C5B8,0000000C,00FC6B4C,0101C218), ref: 00FC6BCC
                                                                                                                                                                                                                                          • __dosmaperr.LIBCMT ref: 00FC6BF7
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ChangeCloseErrorFindLastNotification__dosmaperr
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 490808831-0
                                                                                                                                                                                                                                          • Opcode ID: c48bd05a0703c1e43bab7ec1dfe9eccf863f263c09ea496ef7c85ad03ebfc24d
                                                                                                                                                                                                                                          • Instruction ID: c62029010aad50cc987d8523fcfc926740f34cfcb4388baca03731171ae96581
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c48bd05a0703c1e43bab7ec1dfe9eccf863f263c09ea496ef7c85ad03ebfc24d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A1012633E0D16A16C6246638AE47F7E77499FC6738F25024DE819CB1C2DB39AC84B291
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00FC68F6 Relevance: 4.5, APIs: 3, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • SetFilePointerEx.KERNEL32(00000000,00000000,?,00000000,00FCF765,00000008,00000000,?,?,?,00FC69A3,00000000,00000000,?,00FCF765), ref: 00FC692F
                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,00FC69A3,00000000,00000000,?,00FCF765,?,00FCF765,?,00000000,00000000,00000001,?,00000008), ref: 00FC6939
                                                                                                                                                                                                                                          • __dosmaperr.LIBCMT ref: 00FC6940
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ErrorFileLastPointer__dosmaperr
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2336955059-0
                                                                                                                                                                                                                                          • Opcode ID: 4ffa5ed91859a785336bd39fccdd14f5ee8bcbee1dd0059a74521fc913be486b
                                                                                                                                                                                                                                          • Instruction ID: bd3fcf3df1b07e5ed1de165fb028bbb5dc850740deebd81af1c695384a44d1c3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4ffa5ed91859a785336bd39fccdd14f5ee8bcbee1dd0059a74521fc913be486b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8B012833A04519ABCB058F69DD46E6E3B2AEB82330734020CF412DB190EA31ED01A750
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00FC3E2F Relevance: 4.5, APIs: 3, Instructions: 49COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00FC2174: RtlAllocateHeap.NTDLL(00000000,?,?,?,00FA872D,?,?,00F3A1ED,0000002C,4638DA1B), ref: 00FC21A6
                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00FC3E42
                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00FC3E68
                                                                                                                                                                                                                                            • Part of subcall function 00FC2098: RtlFreeHeap.NTDLL(00000000,00000000,?,00FCB729,?,00000000,?,?,?,00FCB9CC,?,00000007,?,?,00FCBDD6,?), ref: 00FC20AE
                                                                                                                                                                                                                                            • Part of subcall function 00FC2098: GetLastError.KERNEL32(?,?,00FCB729,?,00000000,?,?,?,00FCB9CC,?,00000007,?,?,00FCBDD6,?,?), ref: 00FC20C0
                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00FC3E98
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _free$Heap$AllocateErrorFreeLast
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 4150789928-0
                                                                                                                                                                                                                                          • Opcode ID: e6cf5ad7ee28672ace70fb70d539d815d7db59d91254a1e098047906647d6ff3
                                                                                                                                                                                                                                          • Instruction ID: 5c15e6db0541d57d0760f766d2c3c2e03f9a930f81cfc94deef36525e1e32a21
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e6cf5ad7ee28672ace70fb70d539d815d7db59d91254a1e098047906647d6ff3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F3F0D63780023B56CF22A2249E03FFE73249F417A0F15829EE48672141DE698E89B790
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F84CFA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • ___delayLoadHelper2@8.DELAYIMP ref: 00F84C81
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F929AF
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F929C0
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                                                          • String ID: y1v
                                                                                                                                                                                                                                          • API String ID: 1269201914-256147730
                                                                                                                                                                                                                                          • Opcode ID: 9146b2e06de6e7acf26eafdc301a0eafb70c0578b28a5472707e90d7d1c68131
                                                                                                                                                                                                                                          • Instruction ID: 56851e11e1904fe3c5d589b4ce116aa8fc35d61584bee43696f243eff5ce2dfa
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9146b2e06de6e7acf26eafdc301a0eafb70c0578b28a5472707e90d7d1c68131
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 68B01282259011BD3184614A9D46E37111CF2C1B28F30400EF080C4104D4481C007232
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F84CEA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • ___delayLoadHelper2@8.DELAYIMP ref: 00F84C81
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F929AF
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F929C0
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                                                          • String ID: y1v
                                                                                                                                                                                                                                          • API String ID: 1269201914-256147730
                                                                                                                                                                                                                                          • Opcode ID: a88f1d513238bb7254488baa304df3d09fc8695495fe5e4c5f87964129a6038f
                                                                                                                                                                                                                                          • Instruction ID: af6766fecc1ce4e21728a52c64e31352dfd42357e4c3e957312bc400e3be1666
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a88f1d513238bb7254488baa304df3d09fc8695495fe5e4c5f87964129a6038f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 06B01282259011BD3284614A9E46D37210CD2C1B28F30800EF084C4100D4491C013232
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F84CDA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • ___delayLoadHelper2@8.DELAYIMP ref: 00F84C81
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F929AF
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F929C0
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                                                          • String ID: y1v
                                                                                                                                                                                                                                          • API String ID: 1269201914-256147730
                                                                                                                                                                                                                                          • Opcode ID: ab0d7efc121f271a2031bf39f8aa817dae64ff1a11b7663cd88ff9fe6cfa068d
                                                                                                                                                                                                                                          • Instruction ID: 06f85cc09786ec20265297890e1b98d492924c9063c2d2a863e14249d0eee611
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ab0d7efc121f271a2031bf39f8aa817dae64ff1a11b7663cd88ff9fe6cfa068d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BBB01282259111BD3284614A9D46D77110CD2C1B28F30410EF480C4110D4481C443236
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F84CCA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • ___delayLoadHelper2@8.DELAYIMP ref: 00F84C81
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F929AF
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F929C0
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                                                          • String ID: y1v
                                                                                                                                                                                                                                          • API String ID: 1269201914-256147730
                                                                                                                                                                                                                                          • Opcode ID: 35d43d70d9ba6a3c4d7a9ccb9c8848837f3c8fcbbc1171891c5ef94574ef78c9
                                                                                                                                                                                                                                          • Instruction ID: 58b401f005da0cfe28fa10f7b0976e892ad51df41ad7f2de9168ac0f9696ac8e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 35d43d70d9ba6a3c4d7a9ccb9c8848837f3c8fcbbc1171891c5ef94574ef78c9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A6B012C2259021FD3584614E9D46D37110CD3C1B28F30800EF480C4100D4881C013232
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F84CBA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • ___delayLoadHelper2@8.DELAYIMP ref: 00F84C81
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F929AF
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F929C0
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                                                          • String ID: y1v
                                                                                                                                                                                                                                          • API String ID: 1269201914-256147730
                                                                                                                                                                                                                                          • Opcode ID: de77f92cd6a642db4b801ff2162570f618b37002992512c5532ba3147340a055
                                                                                                                                                                                                                                          • Instruction ID: d7cfd5c98f780f324e8d91d5f99365004f6f5f56950870ce01d4915af79908ee
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: de77f92cd6a642db4b801ff2162570f618b37002992512c5532ba3147340a055
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 25B01282259121BD3584614A9C46D37110CD7C1B24F30800EF480C4100D4491C003231
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F84CAA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • ___delayLoadHelper2@8.DELAYIMP ref: 00F84C81
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F929AF
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F929C0
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                                                          • String ID: y1v
                                                                                                                                                                                                                                          • API String ID: 1269201914-256147730
                                                                                                                                                                                                                                          • Opcode ID: 48e6c6695c44af2d30bb2a342f42c5b60b4c767ea1016ceb2ed9db4d035b2e22
                                                                                                                                                                                                                                          • Instruction ID: 57788fcb80142f1ffdb23eb3acc87f0ed5809e0383316d6d9f351e271232a7fe
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 48e6c6695c44af2d30bb2a342f42c5b60b4c767ea1016ceb2ed9db4d035b2e22
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 97B012822590117D3284614A9D46D37210CE2C1B24F30810FF184C5180D4491C013231
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F84C9A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • ___delayLoadHelper2@8.DELAYIMP ref: 00F84C81
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F929AF
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F929C0
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                                                          • String ID: y1v
                                                                                                                                                                                                                                          • API String ID: 1269201914-256147730
                                                                                                                                                                                                                                          • Opcode ID: 981c64cea04b02113b1804048787ca851eb3e80defaeb38e07b370f0a14e835a
                                                                                                                                                                                                                                          • Instruction ID: 1c47be6b9289e89c199eab6c01b18cf5f76582fb57bd97c451219e91ad74d5d6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 981c64cea04b02113b1804048787ca851eb3e80defaeb38e07b370f0a14e835a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0FB012822591117D3284614A9C46D77110CD2C1B24F30420FF480C5140D4481C443239
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F84C8A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • ___delayLoadHelper2@8.DELAYIMP ref: 00F84C81
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F929AF
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F929C0
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                                                          • String ID: y1v
                                                                                                                                                                                                                                          • API String ID: 1269201914-256147730
                                                                                                                                                                                                                                          • Opcode ID: 2105343e16ab7691a9262df1996052ba21140579489526832f65daa388dc5a65
                                                                                                                                                                                                                                          • Instruction ID: b3309dfdd86ed808c9878d28be1463050cd72e800b4b19b0fb6ed90e0b866820
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2105343e16ab7691a9262df1996052ba21140579489526832f65daa388dc5a65
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A1B01282259022BD3584614ADC46D37110CD3C1B24F30850FF480C5150D4481C003231
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F84C69 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • ___delayLoadHelper2@8.DELAYIMP ref: 00F84C81
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F929AF
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F929C0
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                                                          • String ID: y1v
                                                                                                                                                                                                                                          • API String ID: 1269201914-256147730
                                                                                                                                                                                                                                          • Opcode ID: 9ea8bf21da55db41032498858830a3b20e3676c7b30eba89d7df176b77ff2a71
                                                                                                                                                                                                                                          • Instruction ID: b2f9ad1769c032af26d781f58296308b0f43697b08f209880b87ae0d4cd76fc2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9ea8bf21da55db41032498858830a3b20e3676c7b30eba89d7df176b77ff2a71
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0EB01296259211BD324421569D4AC77210CD6C1B24F30410EF480C4000D4491C4431B5
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F54A40 Relevance: 3.1, APIs: 2, Instructions: 90COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • _com_issue_error.COMSUPP ref: 00F54AD2
                                                                                                                                                                                                                                          • SysFreeString.OLEAUT32(-00000001), ref: 00F54AFD
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: FreeString_com_issue_error
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 709734423-0
                                                                                                                                                                                                                                          • Opcode ID: c159d63b7db17ba1b45c1f61afd51589c119d2bc93e6043dc98d3e5b80445434
                                                                                                                                                                                                                                          • Instruction ID: faa135fed2e9ec209d58b6b2a91c696b926b6963a44face90fa16911638e6cd2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c159d63b7db17ba1b45c1f61afd51589c119d2bc93e6043dc98d3e5b80445434
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5F21D1B1900711ABD7208F55CC05B4AFBE8EF41B61F20462EE96597280EBB8E884D790
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00FC5BF0 Relevance: 3.1, APIs: 2, Instructions: 80fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • WriteFile.KERNEL32(?,?,?,?,00000000,?,00F6860A,00000000,?,00FC610D,00F6860A,00F6860A,00000000,0101C218,4638DA1B,00F6860A), ref: 00FC5C8C
                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,00FC610D,00F6860A,00F6860A,00000000,0101C218,4638DA1B,00F6860A,00F6860A,00F6860A,4638DA1B,00000000,?,00FB591E,00000000,0101C218), ref: 00FC5CB2
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ErrorFileLastWrite
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 442123175-0
                                                                                                                                                                                                                                          • Opcode ID: dcf64ad73eb14f15e5798032e46bcf693eddddc41562d8bacbc803666099090a
                                                                                                                                                                                                                                          • Instruction ID: 5ec0fd13fa41500973496b0a4bc16c5f4ba35cbe239e127cd2ae411727b24d34
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dcf64ad73eb14f15e5798032e46bcf693eddddc41562d8bacbc803666099090a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 77219171A002299FCF15CF29DD81AE9B7BAEB58701F2440ADE946D7211D630EE82DB60
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F35C1E Relevance: 3.1, APIs: 2, Instructions: 76comCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • CoCreateInstance.OLE32(00FFD808,00000000,00000017,0100B024,00000000,4638DA1B,?,?,?,00000000,00000000,00000000,00FD8687,000000FF), ref: 00F35C7A
                                                                                                                                                                                                                                          • OleRun.OLE32(00000000), ref: 00F35C89
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CreateInstance
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 542301482-0
                                                                                                                                                                                                                                          • Opcode ID: bed0315cd87171e642af283b1e9bdf8c5cdc2345505807a23eaace616575b786
                                                                                                                                                                                                                                          • Instruction ID: 7e6c1268f3d4a4c0e688cef19aafa16330cd8f148488d734c7d6442bdfd456da
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bed0315cd87171e642af283b1e9bdf8c5cdc2345505807a23eaace616575b786
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1E219D75A00618AFDB01CB58DC85F6EBBB9EF88B60F140129F515E73A0DB74AD01DA50
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F39BB0 Relevance: 3.1, APIs: 2, Instructions: 52COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • InitOnceBeginInitialize.KERNEL32(010280C4,00000000,4638DA1B,00000000,4638DA1B,00F3A219,010280CC,?,?,?,?,?,?,00F3A219,?,?), ref: 00F39BE5
                                                                                                                                                                                                                                          • InitOnceComplete.KERNEL32(010280C4,00000000,00000000), ref: 00F39C1D
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: InitOnce$BeginCompleteInitialize
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 51270584-0
                                                                                                                                                                                                                                          • Opcode ID: d2308bc4f39855839b63d6840032ed87f1e7fbc8c3026ebb00c9c5a4d564fe34
                                                                                                                                                                                                                                          • Instruction ID: 3ededf7a896cc13e5831ab595dd3cb7f26e522ed48f72a9836f2b94ea18772fc
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d2308bc4f39855839b63d6840032ed87f1e7fbc8c3026ebb00c9c5a4d564fe34
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7401D270E4464AAFEB10DF94DC46B6EB7F8FB04B14F10462AF611AB2C1DBB85504DB51
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00FA99E1 Relevance: 3.0, APIs: 2, Instructions: 42memoryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,00F54AA5,?,00000000,00000000,?,00FABE00,0101BF08,000000FE,?,00F54AA5), ref: 00FA9A04
                                                                                                                                                                                                                                          • SysAllocString.OLEAUT32(00000000), ref: 00FA9A0F
                                                                                                                                                                                                                                            • Part of subcall function 00FAE960: _free.LIBCMT ref: 00FAE973
                                                                                                                                                                                                                                          • _com_issue_error.COMSUPP ref: 00FA9A38
                                                                                                                                                                                                                                          • _com_issue_error.COMSUPP ref: 00FA9A42
                                                                                                                                                                                                                                          • GetLastError.KERNEL32(80070057,4638DA1B,?,00000000,?,00FABE00,0101BF08,000000FE,?,00F54AA5,?), ref: 00FA9A47
                                                                                                                                                                                                                                          • _com_issue_error.COMSUPP ref: 00FA9A5A
                                                                                                                                                                                                                                          • GetLastError.KERNEL32(00000000,?,00000000,?,00FABE00,0101BF08,000000FE,?,00F54AA5,?), ref: 00FA9A70
                                                                                                                                                                                                                                          • _com_issue_error.COMSUPP ref: 00FA9A83
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _com_issue_error$ErrorLast$AllocByteCharMultiStringWide_free
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 878839965-0
                                                                                                                                                                                                                                          • Opcode ID: c8a0220dff27d0c2003efec82d8201b4320f06f218ceb9a6fd4b43fb9ab03725
                                                                                                                                                                                                                                          • Instruction ID: b4bef32bafccf7e712b084973e8c5241af47adcb0e79c018c45307000a729b4c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c8a0220dff27d0c2003efec82d8201b4320f06f218ceb9a6fd4b43fb9ab03725
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 570162B2F092589BDB208F949C45BAFB7B4EF4E720F00013AEA0567251DB795810D7A0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00FBED5C Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _free
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 269201875-0
                                                                                                                                                                                                                                          • Opcode ID: d716c9fbf6c3c438befb1818ce54ca78a2b62cacde2ede53591a2c3741d4a251
                                                                                                                                                                                                                                          • Instruction ID: 28e0df7d9c4c1b3ccc066c3b7d6a13df2dda93bc06b0e311fd2a09c90ebab300
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d716c9fbf6c3c438befb1818ce54ca78a2b62cacde2ede53591a2c3741d4a251
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C4E02B33A4292255E2323A3FBC06BEA3685DB95331F31031AF420861C0DFBC4881BE92
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F5DEC0 Relevance: 3.0, APIs: 2, Instructions: 22registryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • SHDeleteKeyW.SHLWAPI(?,0100BFD0,?,00F5DE7B), ref: 00F5DED6
                                                                                                                                                                                                                                          • RegCloseKey.KERNEL32(?,?,00F5DE7B), ref: 00F5DEE4
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CloseDelete
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 453069226-0
                                                                                                                                                                                                                                          • Opcode ID: c9d357a96ae1bf569b1b3073a4a3a0cb496a1fda34ee67bc087f6f2b3f5714fe
                                                                                                                                                                                                                                          • Instruction ID: d9f3f701cab505616af450f3e08bd1b4c7ea4f9c227b3afec8e0fc74d18badf6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c9d357a96ae1bf569b1b3073a4a3a0cb496a1fda34ee67bc087f6f2b3f5714fe
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8FE01A70905B518FE730CF29F849B43BBE8AB04711F04C85DE89ADBA94C7B8E844DB54
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F3DEB0 Relevance: 1.8, APIs: 1, Instructions: 298COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000023,00000001,4638DA1B,?,?), ref: 00F3DF08
                                                                                                                                                                                                                                          • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(D:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A;OICI;GRGWGX;;;AU)(A;OICI;GA;;;BA),00000001,00000000,00000000), ref: 00F3E36C
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: DescriptorSecurity$ConvertFolderPathSpecialString
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 4077199523-0
                                                                                                                                                                                                                                          • Opcode ID: 103001f8c0325411d0b7bf66ef183947fa321ebe91613b7130788fe9dda31568
                                                                                                                                                                                                                                          • Instruction ID: 8940a604040af07341e5585909a8e694da65fcbd067d5041829813b26ba58664
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 103001f8c0325411d0b7bf66ef183947fa321ebe91613b7130788fe9dda31568
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DDC12171A002049BCB28DF28DC897EDB7B2FF85314F10869DD449A7791DB75AA89CF90
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F38EB0 Relevance: 1.7, APIs: 1, Instructions: 193COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 00F3903E
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Concurrency::cancel_current_task
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 118556049-0
                                                                                                                                                                                                                                          • Opcode ID: 0165d128a73fc15b7bf6314077221778c1d7888f3c6b5cd0ba6015fc007fe543
                                                                                                                                                                                                                                          • Instruction ID: 455e0dfc1d510487dddd9a780b8edb003e29b71f4b97d311ec6bf6297044e531
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0165d128a73fc15b7bf6314077221778c1d7888f3c6b5cd0ba6015fc007fe543
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3551FFB27042155BCB18DE3CDC8056EB3D6AB88360F184A3EF946C7341DBB5E91597A1
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00FC627A Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c308148b652e28a79b0cc509ca9f7c3b2637e1a67fecf1fcdfa16e7038e098da
                                                                                                                                                                                                                                          • Instruction ID: 293a3dfed204d8c74f91b2359f3f04dcfe4cb429c211d6d2220cda33100ad970
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c308148b652e28a79b0cc509ca9f7c3b2637e1a67fecf1fcdfa16e7038e098da
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C0411371A08149AFDB10DF58CD82FAD7BA2EB89364F2881ACE449DB342C736DD41E751
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00FC732A Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: __wsopen_s
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3347428461-0
                                                                                                                                                                                                                                          • Opcode ID: 0b1e804df17391b311317ad4991c5ff6379d93c0d4c63930c7cdd10653cf5f10
                                                                                                                                                                                                                                          • Instruction ID: a25251133527af656e99bdac728db7abbc2269c7b5d8f3f18f40cbfc55a64fb7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0b1e804df17391b311317ad4991c5ff6379d93c0d4c63930c7cdd10653cf5f10
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 56114571A0420AAFCF05DF98E942E9A7BF5EF48314F044069F809EB341D630EA11DBA5
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00FB5854 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 738b2551a80a8a8d4bf8db57af4b31d13eda5225752eac16fda81814e4d2ac91
                                                                                                                                                                                                                                          • Instruction ID: a8ad90cf8c1c55f72ff84dcf606fd795aee4b6dcd909d24643fdd3efe98759a1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 738b2551a80a8a8d4bf8db57af4b31d13eda5225752eac16fda81814e4d2ac91
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D0F02836901A141ADA21366A9D06BDB3398DF46735F140719F821E75D2CB7CD806FEA1
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F5DF10 Relevance: 1.5, APIs: 1, Instructions: 41registryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • RegCreateKeyExW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?), ref: 00F5DF45
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Create
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2289755597-0
                                                                                                                                                                                                                                          • Opcode ID: 13607fecce70a5f17de1183bae06e7444f6cd68efc9b5c227c6ef73b327dc7b8
                                                                                                                                                                                                                                          • Instruction ID: 173a0c5e41bc59ada122de5f319586aa8e79bad7d7e4e20e71f0383b16649b6a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 13607fecce70a5f17de1183bae06e7444f6cd68efc9b5c227c6ef73b327dc7b8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E9017835A00209EBCB21CF49D844F9EBBB9FF98310F20809AFD05A7350C770AA24DB90
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F76050 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • PathFileExistsW.SHLWAPI(?), ref: 00F76061
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ExistsFilePath
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1174141254-0
                                                                                                                                                                                                                                          • Opcode ID: 20d89c59c260c734607300d789d3b2d6f1ea793faf0486d895d8a9a6d36b9497
                                                                                                                                                                                                                                          • Instruction ID: ae0982f19665dfd18086a2d33c6a55d7532482259ba018d2dcec8aaa9e355ad8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 20d89c59c260c734607300d789d3b2d6f1ea793faf0486d895d8a9a6d36b9497
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 03F06D312006008BC724DF69D858B5BB7F9EF88710F00851DE489CB620D779F945CBA1
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00FC2174 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • RtlAllocateHeap.NTDLL(00000000,?,?,?,00FA872D,?,?,00F3A1ED,0000002C,4638DA1B), ref: 00FC21A6
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AllocateHeap
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1279760036-0
                                                                                                                                                                                                                                          • Opcode ID: f7bd85515eafd24c15ab60b02a0893264c7a5ef33261997d9846a56304b944a6
                                                                                                                                                                                                                                          • Instruction ID: a2d0dafcba25ee9c4cd1f32b720faa5e821483f9e793705b852c179f5eea267e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f7bd85515eafd24c15ab60b02a0893264c7a5ef33261997d9846a56304b944a6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 81E0E57650022766E6B036215E02F5E3659EB413B1F195128FE0596080CB28CC4471E4
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F5E500 Relevance: 1.5, APIs: 1, Instructions: 30registryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • RegOpenKeyExW.KERNEL32(?,?,00000000,?,?), ref: 00F5E51F
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Open
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 71445658-0
                                                                                                                                                                                                                                          • Opcode ID: 5d0f24c05c2bc89f346257d23d75789ce0517da171bdaacfdea5a26ac585d1dc
                                                                                                                                                                                                                                          • Instruction ID: 5ea7efae9b00a458241e1d8f5a4ad213173d1e7fdccbf802d7d427a3cb79f042
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5d0f24c05c2bc89f346257d23d75789ce0517da171bdaacfdea5a26ac585d1dc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E9F05E31600608ABDB248F09DC04F5EBBA8EF94710F14845EF90597250D6B0AA149B94
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F3136C Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F313A5
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Ios_base_dtorstd::ios_base::_
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 323602529-0
                                                                                                                                                                                                                                          • Opcode ID: 83f714ae5118caab35838892d0082f9da224773c85750418e74e7abe4fbfe2e5
                                                                                                                                                                                                                                          • Instruction ID: 539e2a24d9eb69659b22e5843f997df3b663b09010a9473d04cf3387f0788099
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 83f714ae5118caab35838892d0082f9da224773c85750418e74e7abe4fbfe2e5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 70F06572904658AFD7159F44DC01F9AB7ECEB08720F10461EE51193781DB7969059A94
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00FD4D80 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetFileAttributesW.KERNEL32(00000000,?,00FD4E6A,00000000,00000000,-00000002,4638DA1B,00000028,00000000,?,00000000,extra,00000005,00000000,00000000,00FF44E4), ref: 00FD4D92
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AttributesFile
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3188754299-0
                                                                                                                                                                                                                                          • Opcode ID: 8314679fe02a0682510fa1fe0b7f75af7b6f70b9899e924ecbb40da1d79d3d5c
                                                                                                                                                                                                                                          • Instruction ID: 1af59ab08ea506e33ce9aac0109d15ca8ddf56a577130fd5d95ff9d2ecd084d8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8314679fe02a0682510fa1fe0b7f75af7b6f70b9899e924ecbb40da1d79d3d5c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7ED0A7315102081BAF540E7CA86B6B6334F9B5177474C0652F41ECA2E8E630FC82B130
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F5ED10 Relevance: 1.5, APIs: 1, Instructions: 20registryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • RegSetValueExW.KERNEL32(?,?,00000000,?,?,?), ref: 00F5ED2F
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Value
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3702945584-0
                                                                                                                                                                                                                                          • Opcode ID: bf036f335fd1eff74bd0b59342c17675bc38ec2088a7a54c5d4dd4dd08e39d52
                                                                                                                                                                                                                                          • Instruction ID: 606ef89f2c58b9c8d3c9d9c131b93a53f541e0676a82873a1e373b5ba5c57f20
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bf036f335fd1eff74bd0b59342c17675bc38ec2088a7a54c5d4dd4dd08e39d52
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 06E0123524010CEBDB148E84EC40F677B3AEB94711F10C415FA084A195C373DD21BBA0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00FCFE25 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • CreateFileW.KERNEL32(00000000,00000000,?,00FD0187,?,?,00000000,?,00FD0187,00000000,0000000C), ref: 00FCFE42
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CreateFile
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 823142352-0
                                                                                                                                                                                                                                          • Opcode ID: 8924860fd78e393b39e6b455df9968253653f534e63ef8540fb6965ad09476ae
                                                                                                                                                                                                                                          • Instruction ID: 20f5a94c0024bcfb5fd57632afd9babd7bf056b0bc1caab36cb2899c848280a1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8924860fd78e393b39e6b455df9968253653f534e63ef8540fb6965ad09476ae
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3BD06C3200014DBBDF028F84ED46EDA3BAAFB48714F014000BA1856060C772E921AB91
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F9269D Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00F92743: DloadGetSRWLockFunctionPointers.DELAYIMP ref: 00F92743
                                                                                                                                                                                                                                            • Part of subcall function 00F92743: AcquireSRWLockExclusive.KERNEL32(?,00F928F1), ref: 00F92760
                                                                                                                                                                                                                                          • DloadProtectSection.DELAYIMP ref: 00F926C5
                                                                                                                                                                                                                                            • Part of subcall function 00F9286C: DloadObtainSection.DELAYIMP ref: 00F9287C
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Dload$LockSection$AcquireExclusiveFunctionObtainPointersProtect
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1209458687-0
                                                                                                                                                                                                                                          • Opcode ID: d56e093feae76a3e0bfa222d1e5d4a74362b1b2634804d5b4e0687b2962368b7
                                                                                                                                                                                                                                          • Instruction ID: a957b35ba5026ef72353f4cc50d7a92803bfc7c9b80547691c8aa590681024b9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d56e093feae76a3e0bfa222d1e5d4a74362b1b2634804d5b4e0687b2962368b7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 96D0C930908290AAEFE1BF5A988AB143250B704310FA44445EA8595669C7AB4894BB25
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F5E8C0 Relevance: 1.5, APIs: 1, Instructions: 11registryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • RegQueryValueExW.KERNEL32(?,?,00000000,?,?,?), ref: 00F5E8D4
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: QueryValue
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3660427363-0
                                                                                                                                                                                                                                          • Opcode ID: cd6bbbf24d6567080e77d44428bf21e30dc74a00644a1771b2af2b1d20d59b2e
                                                                                                                                                                                                                                          • Instruction ID: 5bb860e0d17827b45e8043f46cce25497134a24b35c4532759bc419844bee9d2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cd6bbbf24d6567080e77d44428bf21e30dc74a00644a1771b2af2b1d20d59b2e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BED0EA3604024DBBDF029F81ED05E9A7F2AEB09761F148415FA191806187B39575BBA5
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00FAE960 Relevance: 1.5, APIs: 1, Instructions: 11COMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00FAE973
                                                                                                                                                                                                                                            • Part of subcall function 00FC2098: RtlFreeHeap.NTDLL(00000000,00000000,?,00FCB729,?,00000000,?,?,?,00FCB9CC,?,00000007,?,?,00FCBDD6,?), ref: 00FC20AE
                                                                                                                                                                                                                                            • Part of subcall function 00FC2098: GetLastError.KERNEL32(?,?,00FCB729,?,00000000,?,?,?,00FCB9CC,?,00000007,?,?,00FCBDD6,?,?), ref: 00FC20C0
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ErrorFreeHeapLast_free
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1353095263-0
                                                                                                                                                                                                                                          • Opcode ID: fab4fa4e78e3bb56b6f0db2a41ca46f282b47d196b259d4a4af83b9d8bde8242
                                                                                                                                                                                                                                          • Instruction ID: bf012b368a876cd7d7b55dad8c0dc1e6647ed2b8024e164d987c7604b56318fb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fab4fa4e78e3bb56b6f0db2a41ca46f282b47d196b259d4a4af83b9d8bde8242
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D9C08C3100020CBBCB00AB41C907F4E7BA8EB80364F200048F40117240CAB1EE04A680
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F84DB8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • ___delayLoadHelper2@8.DELAYIMP ref: 00F84DAF
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F929AF
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F929C0
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1269201914-0
                                                                                                                                                                                                                                          • Opcode ID: 86ecd6ec6943e255aeecebd0f626ba4d7eab1ec0916b211354153b679003d92d
                                                                                                                                                                                                                                          • Instruction ID: d21fde9eab273079aec226cd75f126d1b5e9ba5fd283ce5ebfcc841088b077e0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 86ecd6ec6943e255aeecebd0f626ba4d7eab1ec0916b211354153b679003d92d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 03B012C3298021FC3584A155AC47D37110CC3C4F10730801EF484C8111D4485C043231
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F84D9D Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • ___delayLoadHelper2@8.DELAYIMP ref: 00F84DAF
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F929AF
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F929C0
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1269201914-0
                                                                                                                                                                                                                                          • Opcode ID: 32e346f0e5e690c860201fe13a98aab2a71f547e8315382d49e14dab8a851ada
                                                                                                                                                                                                                                          • Instruction ID: a06e6996f9a3cc8634d30ffa271962492f3aecae513c5e43b0f385f1a0e80c2d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 32e346f0e5e690c860201fe13a98aab2a71f547e8315382d49e14dab8a851ada
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 95B012C32991257C31446141EC47D37111CD6C5B10BB0400EF0C0C8010D4485C007131
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F84D93 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • ___delayLoadHelper2@8.DELAYIMP ref: 00F84D1C
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F929AF
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F929C0
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1269201914-0
                                                                                                                                                                                                                                          • Opcode ID: 7ced710eea1983408342ce51f1ffef2f5ee9f000f55c688977d2bec38323a991
                                                                                                                                                                                                                                          • Instruction ID: c94e2d6f0a2b4b5a86b05ecdac3bb20e2eb5ac7d71b5a796af4dd911802bfa72
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7ced710eea1983408342ce51f1ffef2f5ee9f000f55c688977d2bec38323a991
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7FB01283258212BC3A446145EC86D77021CC2C1B10730420EF840C4201D44C1C44B631
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F84D89 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • ___delayLoadHelper2@8.DELAYIMP ref: 00F84D1C
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F929AF
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F929C0
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1269201914-0
                                                                                                                                                                                                                                          • Opcode ID: 774de440d9e66ee9503b772b8b2746c4597ddf635d7bcb5ee74a5c41ddf7eaf7
                                                                                                                                                                                                                                          • Instruction ID: 4a4dbe7ee9ae181865394f7472657f9433561c5ad63e2fa258919dbff79b661b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 774de440d9e66ee9503b772b8b2746c4597ddf635d7bcb5ee74a5c41ddf7eaf7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 73B01283258212BC36446145FD86D37121CC2C1B10730810EF444C4205D44C1C017231
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F84D7F Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • ___delayLoadHelper2@8.DELAYIMP ref: 00F84D1C
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F929AF
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F929C0
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1269201914-0
                                                                                                                                                                                                                                          • Opcode ID: f7e307506822622635749a841db7a9218c215da1517a9a95765568bffeef8bc7
                                                                                                                                                                                                                                          • Instruction ID: 2c68a5ce952d5d1c1d5d848d953f49184780153d37f3b2733213eb6a9e6b1fd9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f7e307506822622635749a841db7a9218c215da1517a9a95765568bffeef8bc7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1AB01283298116BC35446146EC86E37022CD2C1B10730410EF440C4201D44C1C00B331
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F84D75 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • ___delayLoadHelper2@8.DELAYIMP ref: 00F84D1C
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F929AF
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F929C0
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1269201914-0
                                                                                                                                                                                                                                          • Opcode ID: 20fbfab4158fb5df4f6f3cb6345969a86f86bde3a55066ce33abaf9655d87593
                                                                                                                                                                                                                                          • Instruction ID: 637b2630e7e1d08a2b1644829cadb925f9b0bfbaae1f8c0fcbb0e9c05897be13
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 20fbfab4158fb5df4f6f3cb6345969a86f86bde3a55066ce33abaf9655d87593
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 98B01283258022FC39446145EC46D37021CD3C1B10770C10EF840C4201D44C1C047631
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F84D6B Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • ___delayLoadHelper2@8.DELAYIMP ref: 00F84D1C
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F929AF
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F929C0
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1269201914-0
                                                                                                                                                                                                                                          • Opcode ID: 8f8f4cdcf4de0d424a73d9a8f0a0f872484ecb8db31eaa0164523fb75c244683
                                                                                                                                                                                                                                          • Instruction ID: 2a42f6131495c869046a23c8d6bfbb1c341e0a312d7ef4528fc38bd78dfa3b7d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8f8f4cdcf4de0d424a73d9a8f0a0f872484ecb8db31eaa0164523fb75c244683
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5AB01283358112BC36446145EC46D77021CD2C1B10730420EF840C4201D44C1C447231
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F84D61 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • ___delayLoadHelper2@8.DELAYIMP ref: 00F84D1C
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F929AF
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F929C0
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1269201914-0
                                                                                                                                                                                                                                          • Opcode ID: 7ed9123f55561988c47bc752c41c704614e22ebe4204609f55c984cacd14760a
                                                                                                                                                                                                                                          • Instruction ID: 0145299c8f5970802ddc3caccf78985c34be429889b9b448ff6d47a42ad45ba0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7ed9123f55561988c47bc752c41c704614e22ebe4204609f55c984cacd14760a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9FB01283258122FC39446145EC86D37021CC3C1B10730810EF840C4201D44C1C007231
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F84D57 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • ___delayLoadHelper2@8.DELAYIMP ref: 00F84D1C
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F929AF
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F929C0
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1269201914-0
                                                                                                                                                                                                                                          • Opcode ID: 7558d3376d90be15beae3d964663f95e48de090824233c234cb3230419e3cc54
                                                                                                                                                                                                                                          • Instruction ID: a9aa590f06761ec717e5b60c27b7c391aadb6d5ffedfcca61c00bf65b982db17
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7558d3376d90be15beae3d964663f95e48de090824233c234cb3230419e3cc54
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 74B01283268012BC35446185EC46E77422CD2C1B20730430FF441C4201D44C2C00B231
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F84D4D Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • ___delayLoadHelper2@8.DELAYIMP ref: 00F84D1C
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F929AF
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F929C0
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1269201914-0
                                                                                                                                                                                                                                          • Opcode ID: e2082ff227eaffc486dca8226dcb90ad70a4222475d3924d7209fae8854d282d
                                                                                                                                                                                                                                          • Instruction ID: 0285599d793f8cb233489952eee17f9db31f824fe5a167af8466d4eae956f944
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e2082ff227eaffc486dca8226dcb90ad70a4222475d3924d7209fae8854d282d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B9B01283359022FC3A446145EC46D37022CD3C1B10730810EF840C5205D44C1C047231
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F84D43 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • ___delayLoadHelper2@8.DELAYIMP ref: 00F84D1C
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F929AF
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F929C0
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1269201914-0
                                                                                                                                                                                                                                          • Opcode ID: 78f752379d5d8a2939c3b07f0a960bda6951de219da69d045d4a8b922bec16bd
                                                                                                                                                                                                                                          • Instruction ID: fed3252550cefc5606b0abf878ea03a86b6f8bbe46e9935b7b38d6b5e11b9cd6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 78f752379d5d8a2939c3b07f0a960bda6951de219da69d045d4a8b922bec16bd
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4CB01283258012BC36446185ED46D77521DC2C1B20770830EF445C4201D44C2C017231
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F84D39 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • ___delayLoadHelper2@8.DELAYIMP ref: 00F84D1C
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F929AF
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F929C0
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1269201914-0
                                                                                                                                                                                                                                          • Opcode ID: 6345d46da2c684774841526cb4eb5e788b1dbb19d59c552d6747670997a55818
                                                                                                                                                                                                                                          • Instruction ID: bb96b161ef8770c554973cead334ad974878262942814234909481872d409137
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6345d46da2c684774841526cb4eb5e788b1dbb19d59c552d6747670997a55818
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FBB01283258112BC36446185EC86DB7421CC2C1B20730430EF841C4201D44C2C447235
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F84D2F Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • ___delayLoadHelper2@8.DELAYIMP ref: 00F84D1C
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F929AF
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F929C0
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1269201914-0
                                                                                                                                                                                                                                          • Opcode ID: 9dd5aae462a3f1fd2d03031dddb9d6b2487988dd8136aa0e4746b6174fd8d1fa
                                                                                                                                                                                                                                          • Instruction ID: a371960f67d0930ee2cc037fa9e055714ef23a1843a8cd35de3ef4753e59f411
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9dd5aae462a3f1fd2d03031dddb9d6b2487988dd8136aa0e4746b6174fd8d1fa
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E9B01283258022FC39446185EC46D77431CC3C5B20730820EF841C4301D44C2C007231
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F84D25 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • ___delayLoadHelper2@8.DELAYIMP ref: 00F84D1C
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F929AF
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F929C0
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1269201914-0
                                                                                                                                                                                                                                          • Opcode ID: cd5ff8729f4252f2e8fdebb14e50e819990bfaee1ae0dd090558e730c7205c98
                                                                                                                                                                                                                                          • Instruction ID: 8b3927a7221adbc8b2c12d952374d706bcb28e7b6de633bf5ad8a924ecb8295c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cd5ff8729f4252f2e8fdebb14e50e819990bfaee1ae0dd090558e730c7205c98
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 12B01283358012BD35446145EC46E77022CE2C1B10730420EF440C4201D44C1C00B231
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F84D0A Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • ___delayLoadHelper2@8.DELAYIMP ref: 00F84D1C
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F929AF
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F929C0
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1269201914-0
                                                                                                                                                                                                                                          • Opcode ID: 8a88cbb97ed0243f8f210c75acd8f2d67588e7d3d1c29cc79f030decb3bc5d71
                                                                                                                                                                                                                                          • Instruction ID: d7076460dd9a072decbc45c738e0f760d6b7ca8ce01343d911fc0ea800873aa7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8a88cbb97ed0243f8f210c75acd8f2d67588e7d3d1c29cc79f030decb3bc5d71
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E3B01283358013BC36042141ED46C37121CD2C1B14730810EF440C4102D44C1C017131
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F914C6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • ___delayLoadHelper2@8.DELAYIMP ref: 00F914D8
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F929AF
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F929C0
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1269201914-0
                                                                                                                                                                                                                                          • Opcode ID: 1887c53b5af2fd4a831884ae3c475b038519b2a902cd153ca0ac363f67da4a8e
                                                                                                                                                                                                                                          • Instruction ID: d824aef5daec4787fe80108f14cc71921e65ffa7332933fba02fe42a2ef6faa6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1887c53b5af2fd4a831884ae3c475b038519b2a902cd153ca0ac363f67da4a8e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 37B012A62580257C3A0451569D46D37211CD2C1B14B30C01FF140C5000D44C2C057031
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00FA97AC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • ___delayLoadHelper2@8.DELAYIMP ref: 00FA97C4
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F929AF
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F929C0
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1269201914-0
                                                                                                                                                                                                                                          • Opcode ID: a5040f238ae44ac77913f179aaabcdb462ac6b380d2a27ba5eb5ac6601ab248a
                                                                                                                                                                                                                                          • Instruction ID: fe06ad402a4b38f250543f73178b5f9e3c50801bc020759856e371ef3e1a9252
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a5040f238ae44ac77913f179aaabcdb462ac6b380d2a27ba5eb5ac6601ab248a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 84B012E227C4207C36042195DD8AC37210DC2C1F10730C42EF841D4002E4880C053031
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00FA9BFA Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • ___delayLoadHelper2@8.DELAYIMP ref: 00FA9BE7
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F929AF
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F929C0
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1269201914-0
                                                                                                                                                                                                                                          • Opcode ID: ee75336263a7f0e7f374312b18b5a67a4410a6294317eefe3336e9a30ed38383
                                                                                                                                                                                                                                          • Instruction ID: a0912c0375606cabd87f01084f1952937a66684cb1121bbc4511336356b48aef
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ee75336263a7f0e7f374312b18b5a67a4410a6294317eefe3336e9a30ed38383
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B1B012D226C030BC36485245AC86F37121CC3C1B10730851EF440C4100D4880C883131
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00FA9BF0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • ___delayLoadHelper2@8.DELAYIMP ref: 00FA9BE7
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F929AF
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F929C0
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1269201914-0
                                                                                                                                                                                                                                          • Opcode ID: bd54ef33634b49e752bca7e3d58c712c71fbfcabddebf35f14b0c594cf9ac1ac
                                                                                                                                                                                                                                          • Instruction ID: 38566e8b66650111ba60e6c48a2c7922f4d4eb22265fe476c0cddd13da2d1f30
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bd54ef33634b49e752bca7e3d58c712c71fbfcabddebf35f14b0c594cf9ac1ac
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3EB012D226C0207C33485245AD86F37210CC2C1B10730851EF044C4100E4880C853131
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00FA9C54 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • ___delayLoadHelper2@8.DELAYIMP ref: 00FA9BE7
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F929AF
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F929C0
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1269201914-0
                                                                                                                                                                                                                                          • Opcode ID: 4c69861ded801c62dbc09f550bfb1ee020829adea3a0de0a2b4dea42c208d3c3
                                                                                                                                                                                                                                          • Instruction ID: 40cdd352ecc2a4e3ff4ffd740292d41b7753bfaced7aa0d992718ffd89440c67
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4c69861ded801c62dbc09f550bfb1ee020829adea3a0de0a2b4dea42c208d3c3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6DB012C226C0207C32485245AC86F37111CD2C1B10730491EF084C4140D4880C447131
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00FA9C4A Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • ___delayLoadHelper2@8.DELAYIMP ref: 00FA9BE7
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F929AF
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F929C0
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1269201914-0
                                                                                                                                                                                                                                          • Opcode ID: 377c287dc56106fea1e4513375484ac391572e5ec7922d81ecca58d9eff2b847
                                                                                                                                                                                                                                          • Instruction ID: 345f0a1917954481de70b28f711dd8e97e28ff98e4461e85bbb84125ab6b9154
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 377c287dc56106fea1e4513375484ac391572e5ec7922d81ecca58d9eff2b847
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 86B012C226C0207C33485245ED86F37210CC2C1B10730851EF048C4110D4880C453131
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00FA9C40 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • ___delayLoadHelper2@8.DELAYIMP ref: 00FA9BE7
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F929AF
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F929C0
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1269201914-0
                                                                                                                                                                                                                                          • Opcode ID: 8b9827d690fcac4ff3f92f9f2a0d903972a1bd862217f08244b7b5ecaeb44c98
                                                                                                                                                                                                                                          • Instruction ID: 8d06c10ef37a0e29402daf2b6ebe0f32d8001071b8b84c0c7df6e500de218a13
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8b9827d690fcac4ff3f92f9f2a0d903972a1bd862217f08244b7b5ecaeb44c98
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A6B012C226C1207C33485245AC86F37110CC2C1B10730461EF444C4100D4880D883131
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00FA9C36 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • ___delayLoadHelper2@8.DELAYIMP ref: 00FA9BE7
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F929AF
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F929C0
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1269201914-0
                                                                                                                                                                                                                                          • Opcode ID: 4157643ac1b0bccdb0974c00a85bdc21f0f09a67129306f4b95374d3d79f8193
                                                                                                                                                                                                                                          • Instruction ID: 44790638833929d92fee98ee8bf0936be408898526fd4b63c6b16221b81a9283
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4157643ac1b0bccdb0974c00a85bdc21f0f09a67129306f4b95374d3d79f8193
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 25B012C226C030BC36485245AC86F37110CC3C1B10730851EF444C4100D4884C443131
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00FA9C2C Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • ___delayLoadHelper2@8.DELAYIMP ref: 00FA9BE7
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F929AF
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F929C0
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1269201914-0
                                                                                                                                                                                                                                          • Opcode ID: 18589e2e266e50851fa021a2f473b044f37929d9344a13d60b038dc60a2eb475
                                                                                                                                                                                                                                          • Instruction ID: 80e13fd588d235dbab41b1f4fa57d4c2a79f47102e330f6da0c2f2eec14b0700
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 18589e2e266e50851fa021a2f473b044f37929d9344a13d60b038dc60a2eb475
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C4B012C326C1247C32485345AC8AF37115CD2C1B10730451EF440C4104D4880C447131
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00FA9C22 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • ___delayLoadHelper2@8.DELAYIMP ref: 00FA9BE7
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F929AF
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F929C0
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1269201914-0
                                                                                                                                                                                                                                          • Opcode ID: 2f905a171118e89f49149abf44cf17015cad523c67497c0654c756dccd517cd5
                                                                                                                                                                                                                                          • Instruction ID: c38c7f7c7ce74819ca34adb45ec05f57cbd0b82309a17c6ee61954fdb344b545
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2f905a171118e89f49149abf44cf17015cad523c67497c0654c756dccd517cd5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 04B012D226C0207C33485345AD8AE37218CC2C1B10B30851EF444C4100D4880C453131
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00FA9C18 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • ___delayLoadHelper2@8.DELAYIMP ref: 00FA9BE7
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F929AF
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F929C0
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1269201914-0
                                                                                                                                                                                                                                          • Opcode ID: 7e78a25da05e097cb89863e2aa746ec7f98835ff09d7b1ec617506a407199225
                                                                                                                                                                                                                                          • Instruction ID: a3c75ef2955178436713d718c99921d6a7c17067f37baffbcc2563b2fca84f0f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7e78a25da05e097cb89863e2aa746ec7f98835ff09d7b1ec617506a407199225
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DDB012C626C1207C33485345AC8AE37114CC2C1B10730461EF840C4100D4880C883131
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00FA9C0E Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • ___delayLoadHelper2@8.DELAYIMP ref: 00FA9BE7
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F929AF
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F929C0
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1269201914-0
                                                                                                                                                                                                                                          • Opcode ID: eca39732da382e85dae33c3b4fe52a9af5ef5e32dcedebf97aca072b4fa8d375
                                                                                                                                                                                                                                          • Instruction ID: f6569640d6c62b5d59b61882aebd37272ff71a8f8e958998eb55ada44be9bf1a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: eca39732da382e85dae33c3b4fe52a9af5ef5e32dcedebf97aca072b4fa8d375
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3EB012C226C030BC36485355AC8AE37114CC3C1B10730851EF840C4100D4880C443131
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00FA9C04 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • ___delayLoadHelper2@8.DELAYIMP ref: 00FA9BE7
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F929AF
                                                                                                                                                                                                                                            • Part of subcall function 00F9293C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F929C0
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1269201914-0
                                                                                                                                                                                                                                          • Opcode ID: fc5240dd6d26b586c205ce7650336a7423c11519d9d04f2415ce8c2632805c7d
                                                                                                                                                                                                                                          • Instruction ID: 8fa53c801ecec4b02ce7935f6a047c246c78bee37d6dd1be7a6b706f4822cdfe
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fc5240dd6d26b586c205ce7650336a7423c11519d9d04f2415ce8c2632805c7d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A4B012D226C0207C32485245AC86F37111CD3C1B10730451EF040C4100D4880C84B131
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F5ECD0 Relevance: 1.3, APIs: 1, Instructions: 30stringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: lstrlen
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1659193697-0
                                                                                                                                                                                                                                          • Opcode ID: bcbb5661de7d75fa3354eddef8a15d5fe0e02264c8c85f2e3237464ae9efabec
                                                                                                                                                                                                                                          • Instruction ID: fe7ef13422b5a0d4cf06dc91c6f85f829dbfd68b39f4125d0ef13db4abc95e14
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bcbb5661de7d75fa3354eddef8a15d5fe0e02264c8c85f2e3237464ae9efabec
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 54E0ED37200119ABDB018B89EC84D9AFB6DEBD5371704403BFA0487220D772ED25DBA0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                                                                          Function 00F60540 Relevance: 98.2, APIs: 29, Strings: 27, Instructions: 220libraryloaderCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?,4638DA1B), ref: 00F60571
                                                                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000), ref: 00F605B7
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,SetEntriesInAclW), ref: 00F605DD
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,GetFileSecurityW), ref: 00F605E9
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,SetFileSecurityW), ref: 00F605F5
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,LookupAccountSidW), ref: 00F60601
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,GetExplicitEntriesFromAclW), ref: 00F6060D
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,RegGetKeySecurity), ref: 00F6061C
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,RegSetKeySecurity), ref: 00F60628
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,InitializeSecurityDescriptor), ref: 00F60634
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,SetSecurityDescriptorDacl), ref: 00F60640
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,GetSecurityDescriptorDacl), ref: 00F6064C
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,AllocateAndInitializeSid), ref: 00F60658
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,FreeSid), ref: 00F60664
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,OpenThreadToken), ref: 00F60670
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,GetTokenInformation), ref: 00F6067C
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,InitializeAcl), ref: 00F60688
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,InitializeSid), ref: 00F60694
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,GetSidSubAuthority), ref: 00F606A0
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,AddAccessAllowedAce), ref: 00F606AC
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,GetSecurityInfo), ref: 00F606B8
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,SetSecurityInfo), ref: 00F606C4
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,QueryServiceStatusEx), ref: 00F606D0
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,GetAce), ref: 00F606DC
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,DeleteAce), ref: 00F606E8
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,EqualSid), ref: 00F606F4
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,GetAclInformation), ref: 00F60700
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,SetSecurityDescriptorControl), ref: 00F6070F
                                                                                                                                                                                                                                          • LeaveCriticalSection.KERNEL32(?), ref: 00F607DE
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AddressProc$CriticalSection$EnterFreeLeaveLibrary
                                                                                                                                                                                                                                          • String ID: AddAccessAllowedAce$AllocateAndInitializeSid$DeleteAce$EqualSid$FreeSid$GetAce$GetAclInformation$GetExplicitEntriesFromAclW$GetFileSecurityW$GetSecurityDescriptorDacl$GetSecurityInfo$GetSidSubAuthority$GetTokenInformation$InitializeAcl$InitializeSecurityDescriptor$InitializeSid$LookupAccountSidW$OpenThreadToken$QueryServiceStatusEx$RegGetKeySecurity$RegSetKeySecurity$SetEntriesInAclW$SetFileSecurityW$SetSecurityDescriptorControl$SetSecurityDescriptorDacl$SetSecurityInfo$advapi32.dll
                                                                                                                                                                                                                                          • API String ID: 2701342527-838666417
                                                                                                                                                                                                                                          • Opcode ID: 691a5b989d572e1d569ec10369a41114fd6f216c0c4178d06232e86e624530c5
                                                                                                                                                                                                                                          • Instruction ID: 349404f09ec2cf757c99977d964799dffd9dba36fdea354d405834921049b582
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 691a5b989d572e1d569ec10369a41114fd6f216c0c4178d06232e86e624530c5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E8811B30D40B19EECF259F61C848B96BFA0FF05765F140616EA0462AA0DB75B468EFC2
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F7EB60 Relevance: 27.5, APIs: 18, Instructions: 477encryptionCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • CryptQueryObject.CRYPT32(00000001,00F6BDCE,00000400,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00F7EBD2
                                                                                                                                                                                                                                          • CryptMsgClose.CRYPT32(00000000), ref: 00F7EBE4
                                                                                                                                                                                                                                          • CertCloseStore.CRYPT32(00000000,00000001), ref: 00F7EBF4
                                                                                                                                                                                                                                          • CryptMsgClose.CRYPT32(00000000), ref: 00F7ECEE
                                                                                                                                                                                                                                          • CertCloseStore.CRYPT32(00000000,00000001), ref: 00F7ECFE
                                                                                                                                                                                                                                          • CryptQueryObject.CRYPT32(00000002,?,00003FFE,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00F7EDEE
                                                                                                                                                                                                                                          • CryptMsgClose.CRYPT32(00000000), ref: 00F7EE0A
                                                                                                                                                                                                                                          • CertCloseStore.CRYPT32(00000000,00000001), ref: 00F7EE1C
                                                                                                                                                                                                                                          • CryptMsgClose.CRYPT32(00000000), ref: 00F7EEB6
                                                                                                                                                                                                                                          • CertCloseStore.CRYPT32(00000000,00000001), ref: 00F7EEC2
                                                                                                                                                                                                                                            • Part of subcall function 00F7F3C0: CryptMsgGetParam.CRYPT32(00000000,00000005,00000000,?,?), ref: 00F7F442
                                                                                                                                                                                                                                            • Part of subcall function 00F7F3C0: CryptMsgGetParam.CRYPT32(00000000,00000006,00000000,00000000,00000004), ref: 00F7F488
                                                                                                                                                                                                                                            • Part of subcall function 00F7F3C0: CryptMsgGetParam.CRYPT32(?,00000006,00000000,00000000,00000000), ref: 00F7F4C6
                                                                                                                                                                                                                                            • Part of subcall function 00F7F3C0: CertGetSubjectCertificateFromStore.CRYPT32(?,00010001,?), ref: 00F7F527
                                                                                                                                                                                                                                          • CryptMsgClose.CRYPT32(00000000), ref: 00F7EF02
                                                                                                                                                                                                                                          • CertCloseStore.CRYPT32(00000000,00000001), ref: 00F7EF14
                                                                                                                                                                                                                                          • CryptMsgClose.CRYPT32(00000000), ref: 00F7EFAE
                                                                                                                                                                                                                                          • CertCloseStore.CRYPT32(00000000,00000001), ref: 00F7EFBA
                                                                                                                                                                                                                                          • CryptMsgClose.CRYPT32(00000000), ref: 00F7EFDA
                                                                                                                                                                                                                                          • CertCloseStore.CRYPT32(00000000,00000001), ref: 00F7EFEA
                                                                                                                                                                                                                                          • CryptMsgClose.CRYPT32(00000000), ref: 00F7F0CB
                                                                                                                                                                                                                                          • CertCloseStore.CRYPT32(00000000,00000001), ref: 00F7F0DB
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Close$Crypt$CertStore$Param$ObjectQuery$CertificateFromSubject
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2648890560-0
                                                                                                                                                                                                                                          • Opcode ID: 051bfcd604a4012f406d5560ff328335dbbecaa1e6825db181398ea08e663f95
                                                                                                                                                                                                                                          • Instruction ID: 4ca5b56817f7010aef10bea05d4afe5c5dfb30a09855e36e2e90d883d09f37da
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 051bfcd604a4012f406d5560ff328335dbbecaa1e6825db181398ea08e663f95
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B9026071E002189BEF14DFA8CD89BEEBBB8AF08314F14855AE505F7281D7799A04DB61
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F46220 Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 428encryptionthreadCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetCurrentProcessId.KERNEL32(?,?), ref: 00F46268
                                                                                                                                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 00F46274
                                                                                                                                                                                                                                          • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,?,?,?,?,?,?,?), ref: 00F463BF
                                                                                                                                                                                                                                          • CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00F463DF
                                                                                                                                                                                                                                          • CryptHashData.ADVAPI32(00000000,?,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00F463FC
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • al exception rule %x:%x res %s, xrefs: 00F4632E
                                                                                                                                                                                                                                          • 3c224a00-5d51-11cf-b3ca-000000000001, xrefs: 00F4671E
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Crypt$CurrentHash$AcquireContextCreateDataProcessThread
                                                                                                                                                                                                                                          • String ID: 3c224a00-5d51-11cf-b3ca-000000000001$al exception rule %x:%x res %s
                                                                                                                                                                                                                                          • API String ID: 3004248768-911235813
                                                                                                                                                                                                                                          • Opcode ID: 549e259d0d44a5a8fa03e43749bb25bbbf4a9b69b014b76e7d28e0151068c2ba
                                                                                                                                                                                                                                          • Instruction ID: 8965835058ddcd6d28fa544696dccc2429649888fd1b333cb4d56c6c6c873bff
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 549e259d0d44a5a8fa03e43749bb25bbbf4a9b69b014b76e7d28e0151068c2ba
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C5F13C35B012289FDB259F14DC95BADBBB5BF48710F1500D9EA0AAB390CB70AE41DF91
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F467B0 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 150encryptionthreadCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetCurrentProcessId.KERNEL32 ref: 00F467F3
                                                                                                                                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 00F467FB
                                                                                                                                                                                                                                          • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 00F4687F
                                                                                                                                                                                                                                          • CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000000), ref: 00F4689F
                                                                                                                                                                                                                                          • CryptHashData.ADVAPI32(00000000,?,00000000,00000000), ref: 00F468BC
                                                                                                                                                                                                                                          • CryptGetHashParam.ADVAPI32(00000000,00000002,?,00000010,00000000), ref: 00F468DE
                                                                                                                                                                                                                                          • CryptDestroyHash.ADVAPI32(00000000), ref: 00F468EF
                                                                                                                                                                                                                                          • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 00F46902
                                                                                                                                                                                                                                          • DeviceIoControl.KERNEL32(00000000,9EDBA51C,00000000,00000000,00000000,00000000,?,00000000), ref: 00F46951
                                                                                                                                                                                                                                          • DeviceIoControl.KERNEL32(?,9EDB651C,00000000,00000000,00000000,00000000,?,00000000), ref: 00F46980
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • al exception rule %x:%x res %s, xrefs: 00F46824
                                                                                                                                                                                                                                          • Freeing access handle %p, xrefs: 00F467D0
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Crypt$Hash$ContextControlCurrentDevice$AcquireCreateDataDestroyParamProcessReleaseThread
                                                                                                                                                                                                                                          • String ID: Freeing access handle %p$al exception rule %x:%x res %s
                                                                                                                                                                                                                                          • API String ID: 581428007-3582322424
                                                                                                                                                                                                                                          • Opcode ID: 836aa6b7f4a873a9072f96383cf283a07329c876f26a8662b2fd0c675da6a427
                                                                                                                                                                                                                                          • Instruction ID: ebad8677f05a83bd8c91aebd58c190f073bff0482228d1e2e697899430eb704c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 836aa6b7f4a873a9072f96383cf283a07329c876f26a8662b2fd0c675da6a427
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4E518471A00218ABEB208F60DC85FDA7BB8AF15710F144695BE44EA1C0DBF0EE84DF61
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00FCC65F Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 257COMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00FC1CA9: GetLastError.KERNEL32(00000008,00000016,00000000,00FC4E01), ref: 00FC1CAE
                                                                                                                                                                                                                                            • Part of subcall function 00FC1CA9: SetLastError.KERNEL32(00000000,00000006,000000FF), ref: 00FC1D4C
                                                                                                                                                                                                                                          • GetACP.KERNEL32(?,?,?,?,?,?,00FC00E4,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00FCC720
                                                                                                                                                                                                                                          • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00FC00E4,?,?,?,00000055,?,-00000050,?,?), ref: 00FCC74B
                                                                                                                                                                                                                                          • _wcschr.LIBVCRUNTIME ref: 00FCC7DF
                                                                                                                                                                                                                                          • _wcschr.LIBVCRUNTIME ref: 00FCC7ED
                                                                                                                                                                                                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00FCC8B4
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
                                                                                                                                                                                                                                          • String ID: utf8
                                                                                                                                                                                                                                          • API String ID: 4147378913-905460609
                                                                                                                                                                                                                                          • Opcode ID: cc98993181ddf0cb05278f30a43b969934faf33d3777b6a61a28364b9ecf707d
                                                                                                                                                                                                                                          • Instruction ID: 776b86ee5cf2c0849437582db11b3494deea62ac2e40a4d934f1f608e83d7fc4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cc98993181ddf0cb05278f30a43b969934faf33d3777b6a61a28364b9ecf707d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4E71C572A00203AAD725AB35CE87FA773A8EF45710F15442EF909DB181EB78D940A7A5
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00FCCE06 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetLocaleInfoW.KERNEL32(?,2000000B,00FCD124,00000002,00000000,?,?,?,00FCD124,?,00000000), ref: 00FCCE9F
                                                                                                                                                                                                                                          • GetLocaleInfoW.KERNEL32(?,20001004,00FCD124,00000002,00000000,?,?,?,00FCD124,?,00000000), ref: 00FCCEC8
                                                                                                                                                                                                                                          • GetACP.KERNEL32(?,?,00FCD124,?,00000000), ref: 00FCCEDD
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: InfoLocale
                                                                                                                                                                                                                                          • String ID: ACP$OCP
                                                                                                                                                                                                                                          • API String ID: 2299586839-711371036
                                                                                                                                                                                                                                          • Opcode ID: 738776cc236c102f2bc3839cccad345f87288ce7d930f1543d1da1bff197c052
                                                                                                                                                                                                                                          • Instruction ID: 2a6d26c8234dab34b8c286a356949a19482ebb0b2a5587a7bf8c6dc106706dd4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 738776cc236c102f2bc3839cccad345f87288ce7d930f1543d1da1bff197c052
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0121A732E00107AAE7358B15DA42FA772A6AF51B74B56446CE90ECB204E732DD40E3D0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00FCCFDB Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00FC1CA9: GetLastError.KERNEL32(00000008,00000016,00000000,00FC4E01), ref: 00FC1CAE
                                                                                                                                                                                                                                            • Part of subcall function 00FC1CA9: SetLastError.KERNEL32(00000000,00000006,000000FF), ref: 00FC1D4C
                                                                                                                                                                                                                                            • Part of subcall function 00FC1CA9: _free.LIBCMT ref: 00FC1D0B
                                                                                                                                                                                                                                            • Part of subcall function 00FC1CA9: _free.LIBCMT ref: 00FC1D41
                                                                                                                                                                                                                                          • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 00FCD0E7
                                                                                                                                                                                                                                          • IsValidCodePage.KERNEL32(00000000), ref: 00FCD130
                                                                                                                                                                                                                                          • IsValidLocale.KERNEL32(?,00000001), ref: 00FCD13F
                                                                                                                                                                                                                                          • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00FCD187
                                                                                                                                                                                                                                          • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00FCD1A6
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 949163717-0
                                                                                                                                                                                                                                          • Opcode ID: df378a2f8d60234ba3f3122ca0e4f7d95bf9f92a0eb63cd03ff4a207387e6565
                                                                                                                                                                                                                                          • Instruction ID: 9a5f88365843cb9cc350cc32f2d37bdfb53190b92423233bd8659821432866aa
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: df378a2f8d60234ba3f3122ca0e4f7d95bf9f92a0eb63cd03ff4a207387e6565
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 13519E72D0020BAAEB10DBA8CD82FBE77B8BF05710F14443DE515EB154EB749941EBA1
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F7E610 Relevance: 1.5, APIs: 1, Instructions: 6encryptionCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CloseCrypt
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1563465135-0
                                                                                                                                                                                                                                          • Opcode ID: 93fc9e3ffffa3e763842234963868ef18edecb2a647046c5656a45b733042297
                                                                                                                                                                                                                                          • Instruction ID: f811e2ecbe6db2f3b3a52850658722994b7d78792b1ead31e07b6c014721004a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 93fc9e3ffffa3e763842234963868ef18edecb2a647046c5656a45b733042297
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 01B01270A001004B9F208E32994C90132585A003053240085B108C1000D639C800CA14
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F96AB0 Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 167libraryloaderCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00F96AB6
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00F96AC4
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00F96AD5
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00F96AE6
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00F96AF7
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00F96B08
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,InitOnceExecuteOnce), ref: 00F96B19
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00F96B2A
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,CreateSemaphoreW), ref: 00F96B3B
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00F96B4C
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00F96B5D
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00F96B6E
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00F96B7F
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00F96B90
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00F96BA1
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00F96BB2
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00F96BC3
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 00F96BD4
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,FreeLibraryWhenCallbackReturns), ref: 00F96BE5
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,GetCurrentProcessorNumber), ref: 00F96BF6
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,CreateSymbolicLinkW), ref: 00F96C07
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 00F96C18
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,GetTickCount64), ref: 00F96C29
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,GetFileInformationByHandleEx), ref: 00F96C3A
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,SetFileInformationByHandle), ref: 00F96C4B
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 00F96C5C
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00F96C6D
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,WakeConditionVariable), ref: 00F96C7E
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00F96C8F
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00F96CA0
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,InitializeSRWLock), ref: 00F96CB1
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 00F96CC2
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,TryAcquireSRWLockExclusive), ref: 00F96CD3
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 00F96CE4
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,SleepConditionVariableSRW), ref: 00F96CF5
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,CreateThreadpoolWork), ref: 00F96D06
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,SubmitThreadpoolWork), ref: 00F96D17
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,CloseThreadpoolWork), ref: 00F96D28
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,CompareStringEx), ref: 00F96D39
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,GetLocaleInfoEx), ref: 00F96D4A
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,LCMapStringEx), ref: 00F96D5B
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AddressProc$HandleModule
                                                                                                                                                                                                                                          • String ID: AcquireSRWLockExclusive$CloseThreadpoolTimer$CloseThreadpoolWait$CloseThreadpoolWork$CompareStringEx$CreateEventExW$CreateSemaphoreExW$CreateSemaphoreW$CreateSymbolicLinkW$CreateThreadpoolTimer$CreateThreadpoolWait$CreateThreadpoolWork$FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$FlushProcessWriteBuffers$FreeLibraryWhenCallbackReturns$GetCurrentPackageId$GetCurrentProcessorNumber$GetFileInformationByHandleEx$GetLocaleInfoEx$GetSystemTimePreciseAsFileTime$GetTickCount64$InitOnceExecuteOnce$InitializeConditionVariable$InitializeCriticalSectionEx$InitializeSRWLock$LCMapStringEx$ReleaseSRWLockExclusive$SetFileInformationByHandle$SetThreadpoolTimer$SetThreadpoolWait$SleepConditionVariableCS$SleepConditionVariableSRW$SubmitThreadpoolWork$TryAcquireSRWLockExclusive$WaitForThreadpoolTimerCallbacks$WakeAllConditionVariable$WakeConditionVariable$kernel32.dll
                                                                                                                                                                                                                                          • API String ID: 667068680-295688737
                                                                                                                                                                                                                                          • Opcode ID: 0160e381b7c80fe3f22c80e09f677ca2e514d13b7c1ff8c249824eb2abad97c5
                                                                                                                                                                                                                                          • Instruction ID: 04bd9e6dc110855728c575ca9fbbe93b6572943b6d1eb3ffb2deed2ba126df5e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0160e381b7c80fe3f22c80e09f677ca2e514d13b7c1ff8c249824eb2abad97c5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 76615A71992358ABD7306FB4BC8E9663EA8BE2A701314491AF341D7178D7F98104EF63
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F9E7FF Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 415COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00F32D14: std::_Lockit::_Lockit.LIBCPMT ref: 00F32D30
                                                                                                                                                                                                                                            • Part of subcall function 00F32D14: std::_Lockit::~_Lockit.LIBCPMT ref: 00F32D4C
                                                                                                                                                                                                                                          • ctype.LIBCPMT ref: 00F9E830
                                                                                                                                                                                                                                            • Part of subcall function 00F33055: __Getctype.LIBCPMT ref: 00F33064
                                                                                                                                                                                                                                            • Part of subcall function 00F97D5B: __EH_prolog3.LIBCMT ref: 00F97D62
                                                                                                                                                                                                                                            • Part of subcall function 00F97D5B: std::_Lockit::_Lockit.LIBCPMT ref: 00F97D6C
                                                                                                                                                                                                                                            • Part of subcall function 00F97D5B: std::_Lockit::~_Lockit.LIBCPMT ref: 00F97DDD
                                                                                                                                                                                                                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00F9E83E
                                                                                                                                                                                                                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00F9E855
                                                                                                                                                                                                                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00F9E89C
                                                                                                                                                                                                                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00F9E8CF
                                                                                                                                                                                                                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00F9E921
                                                                                                                                                                                                                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00F9E936
                                                                                                                                                                                                                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00F9E955
                                                                                                                                                                                                                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00F9E974
                                                                                                                                                                                                                                          • collate.LIBCPMT ref: 00F9E97E
                                                                                                                                                                                                                                          • __Getcoll.LIBCPMT ref: 00F9E9C0
                                                                                                                                                                                                                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00F9E9D4
                                                                                                                                                                                                                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00F9EABD
                                                                                                                                                                                                                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00F9EB18
                                                                                                                                                                                                                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00F9EB74
                                                                                                                                                                                                                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00F9EB89
                                                                                                                                                                                                                                            • Part of subcall function 00F9816E: __EH_prolog3.LIBCMT ref: 00F98175
                                                                                                                                                                                                                                            • Part of subcall function 00F9816E: std::_Lockit::_Lockit.LIBCPMT ref: 00F9817F
                                                                                                                                                                                                                                            • Part of subcall function 00F9816E: std::_Lockit::~_Lockit.LIBCPMT ref: 00F981F0
                                                                                                                                                                                                                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00F9EBA8
                                                                                                                                                                                                                                            • Part of subcall function 00F983C2: __EH_prolog3.LIBCMT ref: 00F983C9
                                                                                                                                                                                                                                            • Part of subcall function 00F983C2: std::_Lockit::_Lockit.LIBCPMT ref: 00F983D3
                                                                                                                                                                                                                                            • Part of subcall function 00F983C2: std::_Lockit::~_Lockit.LIBCPMT ref: 00F98444
                                                                                                                                                                                                                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00F9EBC7
                                                                                                                                                                                                                                            • Part of subcall function 00F9832D: __EH_prolog3.LIBCMT ref: 00F98334
                                                                                                                                                                                                                                            • Part of subcall function 00F9832D: std::_Lockit::_Lockit.LIBCPMT ref: 00F9833E
                                                                                                                                                                                                                                            • Part of subcall function 00F9832D: std::_Lockit::~_Lockit.LIBCPMT ref: 00F983AF
                                                                                                                                                                                                                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00F9EBE6
                                                                                                                                                                                                                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00F9EC38
                                                                                                                                                                                                                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00F9EC7D
                                                                                                                                                                                                                                            • Part of subcall function 00F9DDD2: __EH_prolog3.LIBCMT ref: 00F9DDD9
                                                                                                                                                                                                                                            • Part of subcall function 00F9DDD2: _Getvals.LIBCPMT ref: 00F9DE2B
                                                                                                                                                                                                                                            • Part of subcall function 00F9DDD2: _Mpunct.LIBCPMT ref: 00F9DE66
                                                                                                                                                                                                                                            • Part of subcall function 00F9DDD2: _Mpunct.LIBCPMT ref: 00F9DE80
                                                                                                                                                                                                                                            • Part of subcall function 00F98044: __EH_prolog3.LIBCMT ref: 00F9804B
                                                                                                                                                                                                                                            • Part of subcall function 00F98044: std::_Lockit::_Lockit.LIBCPMT ref: 00F98055
                                                                                                                                                                                                                                            • Part of subcall function 00F98044: std::_Lockit::~_Lockit.LIBCPMT ref: 00F980C6
                                                                                                                                                                                                                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00F9EA41
                                                                                                                                                                                                                                            • Part of subcall function 00F95688: Concurrency::cancel_current_task.LIBCPMT ref: 00F95748
                                                                                                                                                                                                                                            • Part of subcall function 00F95688: __EH_prolog3.LIBCMT ref: 00F95755
                                                                                                                                                                                                                                            • Part of subcall function 00F95688: std::locale::_Locimp::_Makeloc.LIBCPMT ref: 00F95781
                                                                                                                                                                                                                                            • Part of subcall function 00F95688: std::_Locinfo::~_Locinfo.LIBCPMT ref: 00F9578C
                                                                                                                                                                                                                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00F9E9EB
                                                                                                                                                                                                                                            • Part of subcall function 00F95688: __EH_prolog3.LIBCMT ref: 00F9568F
                                                                                                                                                                                                                                            • Part of subcall function 00F95688: std::_Lockit::_Lockit.LIBCPMT ref: 00F95699
                                                                                                                                                                                                                                            • Part of subcall function 00F95688: std::_Lockit::~_Lockit.LIBCPMT ref: 00F9573D
                                                                                                                                                                                                                                            • Part of subcall function 00F97F1A: __EH_prolog3.LIBCMT ref: 00F97F21
                                                                                                                                                                                                                                            • Part of subcall function 00F97F1A: std::_Lockit::_Lockit.LIBCPMT ref: 00F97F2B
                                                                                                                                                                                                                                            • Part of subcall function 00F97F1A: std::_Lockit::~_Lockit.LIBCPMT ref: 00F97F9C
                                                                                                                                                                                                                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00F9EA2C
                                                                                                                                                                                                                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00F9EA8A
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Locimp::_std::locale::_$AddfacLocimp_$std::_$Lockit$H_prolog3$Lockit::_Lockit::~_$Mpunct$Concurrency::cancel_current_taskGetcollGetctypeGetvalsLocinfoLocinfo::~_Makeloccollatectype
                                                                                                                                                                                                                                          • String ID: u{jD
                                                                                                                                                                                                                                          • API String ID: 207879573-4045313965
                                                                                                                                                                                                                                          • Opcode ID: d1e704bd330e8e7653a83ba33062a429600874a2b87696dcf990a7987e632138
                                                                                                                                                                                                                                          • Instruction ID: 091a36b5277076dd549275e3bb138db124af115a8bfb66fdaaf843fee25bedde
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d1e704bd330e8e7653a83ba33062a429600874a2b87696dcf990a7987e632138
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B3D1C3B1C0121AAFFF25AF648C06ABF7AA4EF41764F14441DF9446B292DB794D00B7E2
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F80780 Relevance: 30.0, APIs: 2, Strings: 15, Instructions: 250COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • Failed to parse DeleteFile as a boolean - default to false, xrefs: 00F808D9
                                                                                                                                                                                                                                          • Source, xrefs: 00F807D1
                                                                                                                                                                                                                                          • Unable to read Source and/or DestDir attribute of EXTRACT_CAB_LOCAL command, xrefs: 00F80A3D, 00F80A42
                                                                                                                                                                                                                                          • NWebAdvisor::NXmlUpdater::CExtractCabLocalCommand::ExecuteExtractCabLocalCommand, xrefs: 00F8095D, 00F809A2, 00F809D9, 00F80A14
                                                                                                                                                                                                                                          • DeleteFile, xrefs: 00F8086B
                                                                                                                                                                                                                                          • Unable to create destination directory (%d), xrefs: 00F8099B
                                                                                                                                                                                                                                          • Failed to extract cab (%s), xrefs: 00F809D2
                                                                                                                                                                                                                                          • Failed to delete src cab (%d), xrefs: 00F80A0D
                                                                                                                                                                                                                                          • Unable to verify signature for file: %s, xrefs: 00F80956
                                                                                                                                                                                                                                          • Unable to substitute variables for the EXTRACT_CAB_LOCAL command, xrefs: 00F80A31
                                                                                                                                                                                                                                          • invalid substitutor, xrefs: 00F807C5
                                                                                                                                                                                                                                          • Unable to substitute DeleteFile attribute, xrefs: 00F808BC
                                                                                                                                                                                                                                          • c:\jenkins\workspace\mer_WebAdvisor_XMLUpdater_master\src\XmlUpdater\ExtractCabLocalCommand.cpp, xrefs: 00F808E5, 00F80962, 00F809A7, 00F809DE, 00F80A19, 00F80A49
                                                                                                                                                                                                                                          • DestDir, xrefs: 00F80813
                                                                                                                                                                                                                                          • NWebAdvisor::NXmlUpdater::CExtractCabLocalCommand::Execute, xrefs: 00F808E0, 00F80A44
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: DeleteFile$DestDir$Failed to delete src cab (%d)$Failed to extract cab (%s)$Failed to parse DeleteFile as a boolean - default to false$NWebAdvisor::NXmlUpdater::CExtractCabLocalCommand::Execute$NWebAdvisor::NXmlUpdater::CExtractCabLocalCommand::ExecuteExtractCabLocalCommand$Source$Unable to create destination directory (%d)$Unable to read Source and/or DestDir attribute of EXTRACT_CAB_LOCAL command$Unable to substitute DeleteFile attribute$Unable to substitute variables for the EXTRACT_CAB_LOCAL command$Unable to verify signature for file: %s$c:\jenkins\workspace\mer_WebAdvisor_XMLUpdater_master\src\XmlUpdater\ExtractCabLocalCommand.cpp$invalid substitutor
                                                                                                                                                                                                                                          • API String ID: 0-2605792675
                                                                                                                                                                                                                                          • Opcode ID: 5b072953648af6011c733237da2cbf206cd8db3752a1a7bdfa08a97cb18d8e2b
                                                                                                                                                                                                                                          • Instruction ID: 6e3cbd583b6746184d1b4a95a8c9c49e14f52437c2c38e212e6c4f9a7fe7e9d7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5b072953648af6011c733237da2cbf206cd8db3752a1a7bdfa08a97cb18d8e2b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7B910171E40308ABDB14EF90DC52BFEB775AF05714F440119F50567282EFB9A948EBA2
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F4A118 Relevance: 28.3, APIs: 10, Strings: 6, Instructions: 273COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00F4DE80: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F4DF0C
                                                                                                                                                                                                                                          • __Mtx_unlock.LIBCPMT ref: 00F4A143
                                                                                                                                                                                                                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F4A1AA
                                                                                                                                                                                                                                            • Part of subcall function 00F4E0D0: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F4E161
                                                                                                                                                                                                                                          • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00F4A1C1
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 00F4A1DD
                                                                                                                                                                                                                                          • CreateSemaphoreW.KERNEL32(00000000,00000000,000003E8,00000000), ref: 00F4A24C
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 00F4A268
                                                                                                                                                                                                                                          • ReleaseSemaphore.KERNEL32(?,00000001,00000000,?,00000000), ref: 00F4A410
                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,00000001), ref: 00F4A46F
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Ios_base_dtorstd::ios_base::_$CloseCreateHandleSemaphore$ErrorEventLastMtx_unlockRelease
                                                                                                                                                                                                                                          • String ID: E$Failed to create event semaphore$Failed to create stop event$Failed to initialize event sender$Failed to release semaphore. Error: $V
                                                                                                                                                                                                                                          • API String ID: 1380281556-3274429967
                                                                                                                                                                                                                                          • Opcode ID: 34309f76a48bb9c51bd494f85cb3a0794b6c524863f260031154802ca06838f4
                                                                                                                                                                                                                                          • Instruction ID: 246e24332f4f8968d763303b89d508cca9efad3999ca3ee78cfd3a27d979ba4d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 34309f76a48bb9c51bd494f85cb3a0794b6c524863f260031154802ca06838f4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1BB1E570A402099BEB14EF60CC55BEEFBB5FF44310F104259E819672C1EBB96A45EF92
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F80FA0 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 141filelibraryloaderCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,4638DA1B,000000FF,00000000,00000000,00FDDF30,000000FF), ref: 00F80FE8
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,CreateFileTransactedW), ref: 00F80FF8
                                                                                                                                                                                                                                          • CreateFileW.KERNEL32(000000FF,00000001,00000001,00000000,00000003,00000080,00000000,4638DA1B,000000FF,00000000,00000000,00FDDF30,000000FF), ref: 00F81037
                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00F81058
                                                                                                                                                                                                                                          • GetFileSize.KERNEL32(?,?), ref: 00F81088
                                                                                                                                                                                                                                          • CreateFileMappingW.KERNEL32(?,00000000,00000002,?,00000000,00000000), ref: 00F8109C
                                                                                                                                                                                                                                          • MapViewOfFileEx.KERNEL32(00000000,00000004,00000000,00000000,?,00000000), ref: 00F810D9
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 00F810F0
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • Failed to open the file: %d, xrefs: 00F8105F
                                                                                                                                                                                                                                          • c:\jenkins\workspace\mer_WebAdvisor_XMLUpdater_master\src\XmlUpdater\FileMemMap.h, xrefs: 00F8106B, 00F8110D
                                                                                                                                                                                                                                          • NWebAdvisor::CFileMemMap::Init, xrefs: 00F81066, 00F81108
                                                                                                                                                                                                                                          • CreateFileTransactedW, xrefs: 00F80FF2
                                                                                                                                                                                                                                          • Failed to map file to memory, xrefs: 00F81101
                                                                                                                                                                                                                                          • kernel32.dll, xrefs: 00F80FE3
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: File$CreateHandle$AddressCloseErrorLastMappingModuleProcSizeView
                                                                                                                                                                                                                                          • String ID: CreateFileTransactedW$Failed to map file to memory$Failed to open the file: %d$NWebAdvisor::CFileMemMap::Init$c:\jenkins\workspace\mer_WebAdvisor_XMLUpdater_master\src\XmlUpdater\FileMemMap.h$kernel32.dll
                                                                                                                                                                                                                                          • API String ID: 2423579280-2843467768
                                                                                                                                                                                                                                          • Opcode ID: 1197c6f054ca9b84ffc1cb9ff89dc2bb34bf291503d736ccfcaaec5dba14ea5a
                                                                                                                                                                                                                                          • Instruction ID: 1eb554279469a25ea57cf091ebbbe4ba1f39cad770ce3f370ff3b707a048f4eb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1197c6f054ca9b84ffc1cb9ff89dc2bb34bf291503d736ccfcaaec5dba14ea5a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AA41E771B40745BBEB20AF60DC46FAA77A8BF04B24F100719F615EA2C0D7F4A941AB95
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F82FD0 Relevance: 22.9, APIs: 3, Strings: 10, Instructions: 177registryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • RegOpenKeyExW.ADVAPI32(80000002,00000000,00000000,?,00000000,00000028,00000028,00000000,00000000,Name,00000004,00000000,00000000,Key,00000003,4638DA1B), ref: 00F830F1
                                                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(00000008), ref: 00F8317C
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • Error (%d) deleting registry value (%s) in key: %s, xrefs: 00F8319D
                                                                                                                                                                                                                                          • c:\jenkins\workspace\mer_WebAdvisor_XMLUpdater_master\src\XmlUpdater\delete_registry_value_command.cpp, xrefs: 00F83108, 00F83163, 00F831A9, 00F831D1
                                                                                                                                                                                                                                          • Key, xrefs: 00F83013
                                                                                                                                                                                                                                          • Name, xrefs: 00F83055
                                                                                                                                                                                                                                          • Cannnot delete registry value. Key or value not found. Key: %s Value: %s, xrefs: 00F83157
                                                                                                                                                                                                                                          • Unable to substitute variables for the DEL_REG_VALUE command, xrefs: 00F831BC
                                                                                                                                                                                                                                          • Unable to read Key or Name for DEL_REG_VALUE command, xrefs: 00F831C5
                                                                                                                                                                                                                                          • Error opening HKLM registry key: %d, xrefs: 00F830FC
                                                                                                                                                                                                                                          • NWebAdvisor::NXmlUpdater::parse_and_execute, xrefs: 00F83103, 00F8315E, 00F831A4, 00F831CC
                                                                                                                                                                                                                                          • Invalid substitutor, xrefs: 00F83005
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CloseOpen
                                                                                                                                                                                                                                          • String ID: Cannnot delete registry value. Key or value not found. Key: %s Value: %s$Error (%d) deleting registry value (%s) in key: %s$Error opening HKLM registry key: %d$Invalid substitutor$Key$NWebAdvisor::NXmlUpdater::parse_and_execute$Name$Unable to read Key or Name for DEL_REG_VALUE command$Unable to substitute variables for the DEL_REG_VALUE command$c:\jenkins\workspace\mer_WebAdvisor_XMLUpdater_master\src\XmlUpdater\delete_registry_value_command.cpp
                                                                                                                                                                                                                                          • API String ID: 47109696-1081640057
                                                                                                                                                                                                                                          • Opcode ID: fc81e9961149d5b0bf0851e441a8c65023d88ea4e464d5e4a2b26c577bc6862e
                                                                                                                                                                                                                                          • Instruction ID: 49cd72ff40654c0dc80672e452da9cabdc20b6281cfaa3a361ada9c9695a9b8d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fc81e9961149d5b0bf0851e441a8c65023d88ea4e464d5e4a2b26c577bc6862e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D451C571E41208ABDB10EF50DC4ABEEB7B9EF05F14F140518F50577291DB79AA04EBA2
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F68400 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 152COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • SHGetSpecialFolderPathW.SHELL32(00000000,0101F278,00000023,00000001,00000004,00000000,00000000), ref: 00F68462
                                                                                                                                                                                                                                          • CreateDirectoryW.KERNEL32(0101F278,00000000,0101F278,00000104,\McAfee\), ref: 00F68491
                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00F6849D
                                                                                                                                                                                                                                          • CreateDirectoryW.KERNEL32(0101F278,00000000,0101F278,00000104,0101F070), ref: 00F684C5
                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00F684CB
                                                                                                                                                                                                                                          • GetModuleFileNameW.KERNEL32(?,00000104), ref: 00F684FC
                                                                                                                                                                                                                                          • StrRChrW.SHLWAPI(?,00000000,0000005C), ref: 00F68511
                                                                                                                                                                                                                                          • CreateDirectoryW.KERNEL32(0101F278,00000000,0101F278,00000104,00000000), ref: 00F6852E
                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00F68534
                                                                                                                                                                                                                                          • GetTickCount.KERNEL32 ref: 00F685B9
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CreateDirectoryErrorLast$CountFileFolderModuleNamePathSpecialTick
                                                                                                                                                                                                                                          • String ID: %uFile:%sFunction:%sLine:%d$\McAfee\$\log.txt
                                                                                                                                                                                                                                          • API String ID: 922589859-3713371193
                                                                                                                                                                                                                                          • Opcode ID: 0b687510285ad6f02addb4720851d1da072cea821b23ea78090e5af192452484
                                                                                                                                                                                                                                          • Instruction ID: bba05dd7d02f31e0a3368645965117211a4075665f8af456a52ae0e7dcd6d609
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0b687510285ad6f02addb4720851d1da072cea821b23ea78090e5af192452484
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 18514A74E8030D6BDF20EB64DC86FD977A4AF24760F140298FA08B7181CAF99D849F91
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F72B30 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 107libraryloaderCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • LoadLibraryW.KERNEL32(?,4638DA1B,00000000,?,?,?,00F73AE3,00000000,00000000,?,00000000,811C9DC5,path,00000004,?), ref: 00F72B73
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Dispatcher), ref: 00F72B98
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Controller), ref: 00F72BA7
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Release), ref: 00F72BC8
                                                                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000), ref: 00F72C46
                                                                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000), ref: 00F72CC3
                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,00F73AE3,00000000,00000000,?,00000000,811C9DC5,path,00000004), ref: 00F72CCB
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • NWebAdvisor::NXmlUpdater::InternalImpl::GetInstance, xrefs: 00F72CDF
                                                                                                                                                                                                                                          • Failed to load library %s. Error 0x%08X, xrefs: 00F72CD5
                                                                                                                                                                                                                                          • Release, xrefs: 00F72BC2
                                                                                                                                                                                                                                          • c:\jenkins\workspace\mer_WebAdvisor_XMLUpdater_master\src\XmlUpdater\Hound.cpp, xrefs: 00F72CE4
                                                                                                                                                                                                                                          • Dispatcher, xrefs: 00F72B92
                                                                                                                                                                                                                                          • Controller, xrefs: 00F72B9E
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AddressLibraryProc$Free$ErrorLastLoad
                                                                                                                                                                                                                                          • String ID: Controller$Dispatcher$Failed to load library %s. Error 0x%08X$NWebAdvisor::NXmlUpdater::InternalImpl::GetInstance$Release$c:\jenkins\workspace\mer_WebAdvisor_XMLUpdater_master\src\XmlUpdater\Hound.cpp
                                                                                                                                                                                                                                          • API String ID: 2058215185-435243658
                                                                                                                                                                                                                                          • Opcode ID: 00abc170956ddcb55d226360b9865054358141523ba25bdbb97ccfeb7548423c
                                                                                                                                                                                                                                          • Instruction ID: ccaf0b2986f01ae4104caaa2b491492b636c2e191fbe01305fb77a338598fd5c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 00abc170956ddcb55d226360b9865054358141523ba25bdbb97ccfeb7548423c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DB4160B1900318DFD7008FA9D984BAEBBF4FF18720F15415AE509EB291DBB58940DF96
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00FBCE60 Relevance: 22.9, APIs: 15, Instructions: 357COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _free$Info
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2509303402-0
                                                                                                                                                                                                                                          • Opcode ID: 8b7ce9d1f498020dafd4fe0d4c3f81fcef477f279fbd0e61ca21aaa630a469d8
                                                                                                                                                                                                                                          • Instruction ID: 628d80e3a826abf24a7a38d163f04ea5a67a6a39a1234c1a19e248be3d7e3590
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8b7ce9d1f498020dafd4fe0d4c3f81fcef477f279fbd0e61ca21aaa630a469d8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 19D1BC71D003469FDB21DFB9C881BEEBBB5FF08310F144069E895A7282E675A845EF60
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F4B090 Relevance: 21.4, APIs: 6, Strings: 6, Instructions: 434COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F4B311
                                                                                                                                                                                                                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F4B3AA
                                                                                                                                                                                                                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F4B43B
                                                                                                                                                                                                                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F4B21A
                                                                                                                                                                                                                                            • Part of subcall function 00F39BB0: InitOnceBeginInitialize.KERNEL32(010280C4,00000000,4638DA1B,00000000,4638DA1B,00F3A219,010280CC,?,?,?,?,?,?,00F3A219,?,?), ref: 00F39BE5
                                                                                                                                                                                                                                            • Part of subcall function 00F39BB0: InitOnceComplete.KERNEL32(010280C4,00000000,00000000), ref: 00F39C1D
                                                                                                                                                                                                                                            • Part of subcall function 00F39940: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F39A12
                                                                                                                                                                                                                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F4B64F
                                                                                                                                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 00F4B67C
                                                                                                                                                                                                                                            • Part of subcall function 00F51230: InitOnceBeginInitialize.KERNEL32(0102823C,00000000,?,00000000,?,?,?,?,00000000,00000000,?,4638DA1B,?,?), ref: 00F5125A
                                                                                                                                                                                                                                            • Part of subcall function 00F51230: InitOnceComplete.KERNEL32(0102823C,00000000,00000000), ref: 00F51278
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • Error unable to encode the hash in Base64, xrefs: 00F4B40B
                                                                                                                                                                                                                                          • HMAC creator initialization failed, xrefs: 00F4B17D
                                                                                                                                                                                                                                          • Failed to allocate HMAC buffer, xrefs: 00F4B276
                                                                                                                                                                                                                                          • Failed to allocate HMAC base64 buffer, xrefs: 00F4B37A
                                                                                                                                                                                                                                          • HMAC failed to get digest size, xrefs: 00F4B1EA
                                                                                                                                                                                                                                          • Invalid arguments supplied to HMACSha256 hash., xrefs: 00F4B61C
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Ios_base_dtorstd::ios_base::_$InitOnce$BeginCompleteInitialize$Concurrency::cancel_current_task
                                                                                                                                                                                                                                          • String ID: Error unable to encode the hash in Base64$Failed to allocate HMAC base64 buffer$Failed to allocate HMAC buffer$HMAC creator initialization failed$HMAC failed to get digest size$Invalid arguments supplied to HMACSha256 hash.
                                                                                                                                                                                                                                          • API String ID: 1609125544-1991084185
                                                                                                                                                                                                                                          • Opcode ID: 567d4edc409ea72f11da61dbff8bfed1691517b7ef17957dfeec0aa28a149e87
                                                                                                                                                                                                                                          • Instruction ID: ab75f018f479454708cbe72f60f1ca5761991eeec3dbd0ab4245b3cc73d63469
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 567d4edc409ea72f11da61dbff8bfed1691517b7ef17957dfeec0aa28a149e87
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B5F1E470D002489FDF14EFA4CC55BEDFBB4BF54310F144198E805A7286EBB89A89EB51
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F4E843 Relevance: 21.3, APIs: 6, Strings: 6, Instructions: 319COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00F39BB0: InitOnceBeginInitialize.KERNEL32(010280C4,00000000,4638DA1B,00000000,4638DA1B,00F3A219,010280CC,?,?,?,?,?,?,00F3A219,?,?), ref: 00F39BE5
                                                                                                                                                                                                                                            • Part of subcall function 00F39BB0: InitOnceComplete.KERNEL32(010280C4,00000000,00000000), ref: 00F39C1D
                                                                                                                                                                                                                                            • Part of subcall function 00F39940: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F39A12
                                                                                                                                                                                                                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F4E8A8
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • Authorization: , xrefs: 00F4E8EB
                                                                                                                                                                                                                                          • HTTP status error for Azure: , xrefs: 00F4EA71
                                                                                                                                                                                                                                          • Failed to create access token, xrefs: 00F4E881
                                                                                                                                                                                                                                          • HTTP send request failed for Azure: , xrefs: 00F4EB62
                                                                                                                                                                                                                                          • HTTP receive response failed for Azure: , xrefs: 00F4EAE7
                                                                                                                                                                                                                                          • `, xrefs: 00F4EC31
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: InitIos_base_dtorOncestd::ios_base::_$BeginCompleteInitialize
                                                                                                                                                                                                                                          • String ID: Authorization: $Failed to create access token$HTTP receive response failed for Azure: $HTTP send request failed for Azure: $HTTP status error for Azure: $`
                                                                                                                                                                                                                                          • API String ID: 539357862-2990323874
                                                                                                                                                                                                                                          • Opcode ID: c8918e91fdd618fa67ad9f123ee8131d2f1ff389255c44ba01871a7df48246ac
                                                                                                                                                                                                                                          • Instruction ID: 0cb880fd1f75dea104df1297c09432338858029f320530361e05e2c55954d573
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c8918e91fdd618fa67ad9f123ee8131d2f1ff389255c44ba01871a7df48246ac
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9DD19F70A0021D9FDB24EB60CD85BEDB774BF45314F5045D8E909A7281DBB8AB88EF61
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00FA87E7 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 58libraryloaderCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • InitializeCriticalSectionAndSpinCount.KERNEL32(0102742C,00000FA0,?,?,00FA87C5), ref: 00FA87F3
                                                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,00FA87C5), ref: 00FA87FE
                                                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00FA87C5), ref: 00FA880F
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00FA8821
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00FA882F
                                                                                                                                                                                                                                          • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,00FA87C5), ref: 00FA8852
                                                                                                                                                                                                                                          • DeleteCriticalSection.KERNEL32(0102742C,00000007,?,?,00FA87C5), ref: 00FA8875
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,00FA87C5), ref: 00FA8885
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • WakeAllConditionVariable, xrefs: 00FA8827
                                                                                                                                                                                                                                          • SleepConditionVariableCS, xrefs: 00FA881B
                                                                                                                                                                                                                                          • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00FA87F9
                                                                                                                                                                                                                                          • kernel32.dll, xrefs: 00FA880A
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
                                                                                                                                                                                                                                          • String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                                                                                                                                                                                                          • API String ID: 2565136772-3242537097
                                                                                                                                                                                                                                          • Opcode ID: e227d203ee45d64fe7e3e90d3f3e47c2b1abbc52b7d897cd0d0aab32392e4b3a
                                                                                                                                                                                                                                          • Instruction ID: c22138974012fe6cb5f7ab42f708f33b2a03f300b0178295a3d96a7b7f2afd81
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e227d203ee45d64fe7e3e90d3f3e47c2b1abbc52b7d897cd0d0aab32392e4b3a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9E01B571E407155BD7301F75BC49B263E58AF51BA0B140824FA45EB164DFF8C801A722
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F70950 Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 244fileCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00F70490: CreateDirectoryW.KERNEL32(?,00000000,?), ref: 00F704AA
                                                                                                                                                                                                                                            • Part of subcall function 00F70490: GetLastError.KERNEL32 ref: 00F704B8
                                                                                                                                                                                                                                          • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000000,00000000,00000000,0000005C,00000001,00000000), ref: 00F70BB5
                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00F70BC2
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CreateErrorLast$DirectoryFile
                                                                                                                                                                                                                                          • String ID: CreateDir failed for %s$CreateFile failed for %s: %d$NWebAdvisor::NUtils::StoreBufferInFile$WriteFile failed: %d$\$c:\jenkins\workspace\mer_WebAdvisor_XMLUpdater_master\src\XmlUpdater\FileUtils.cpp
                                                                                                                                                                                                                                          • API String ID: 1552088572-2321083101
                                                                                                                                                                                                                                          • Opcode ID: fc9e3b49fba17bde2390a099eac2c3c10a3a8925ae55a9639497ae427c955dcc
                                                                                                                                                                                                                                          • Instruction ID: b8e66d96ed8e4430ecbad5e597980193f4011784e59f2d6451f2f52872b0130d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fc9e3b49fba17bde2390a099eac2c3c10a3a8925ae55a9639497ae427c955dcc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 15A18D71D0034DDADF00DFA4CC45BEEBBB4AF58314F14421AE509BB291DBB46A85DBA2
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00FCB0D0 Relevance: 18.4, APIs: 12, Instructions: 374COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _free
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 269201875-0
                                                                                                                                                                                                                                          • Opcode ID: 9b4f4295c889cbe059b3f3ad255ae0d09d891a7772311782c248770895daff67
                                                                                                                                                                                                                                          • Instruction ID: 01df9616ba009cbaaf64687aef11e79b4d2e54bab6eaa83c5afc9af2036e836d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9b4f4295c889cbe059b3f3ad255ae0d09d891a7772311782c248770895daff67
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CAC17676D40205AFDB20DBA8CD87FEE77F8AF08740F144169FA05FB282D67499419BA0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00FAC338 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304COMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • IsInExceptionSpec.LIBVCRUNTIME ref: 00FAC435
                                                                                                                                                                                                                                          • type_info::operator==.LIBVCRUNTIME ref: 00FAC457
                                                                                                                                                                                                                                          • ___TypeMatch.LIBVCRUNTIME ref: 00FAC566
                                                                                                                                                                                                                                          • IsInExceptionSpec.LIBVCRUNTIME ref: 00FAC638
                                                                                                                                                                                                                                          • _UnwindNestedFrames.LIBCMT ref: 00FAC6BC
                                                                                                                                                                                                                                          • CallUnexpected.LIBVCRUNTIME ref: 00FAC6D7
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                                                                                                                                                                                                                          • String ID: csm$csm$csm
                                                                                                                                                                                                                                          • API String ID: 2123188842-393685449
                                                                                                                                                                                                                                          • Opcode ID: a22f0a673b834625a80c43eb2c3eaa2f14fe94db49dde0395bf6441fb21ca21c
                                                                                                                                                                                                                                          • Instruction ID: 47caef7651c133b73c6578f550ef63ec604d5d8a9a2dbf4ba487f2a3d8100c43
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a22f0a673b834625a80c43eb2c3eaa2f14fe94db49dde0395bf6441fb21ca21c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 86B16BB1C00209EFCF19DFA4C9819AEBBB5BF0A320B14415AF8156B212D735EA51EFD5
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F469A0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 114libraryloaderCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • DeviceIoControl.KERNEL32(4638DA1B,9EDBA51C,00000000,00000000,00000000,00000000,?,00000000), ref: 00F469E9
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(4638DA1B,?,?,00000000), ref: 00F469FB
                                                                                                                                                                                                                                          • DeviceIoControl.KERNEL32(00000000,9EDB651C,00000000,00000000,00000000,00000000,?,00000000), ref: 00F46A2A
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 00F46A3D
                                                                                                                                                                                                                                          • GetModuleHandleExW.KERNEL32(00000000,mfeaaca.dll,?), ref: 00F46A8B
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,NotComDllUnload), ref: 00F46A9E
                                                                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000), ref: 00F46AB8
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Handle$CloseControlDevice$AddressFreeLibraryModuleProc
                                                                                                                                                                                                                                          • String ID: NotComDllUnload$mfeaaca.dll
                                                                                                                                                                                                                                          • API String ID: 2321898493-1077453148
                                                                                                                                                                                                                                          • Opcode ID: 5843ec06828433daa205ac5650dc9621fa518283d778a2b78d249bb959bcfbda
                                                                                                                                                                                                                                          • Instruction ID: c9fd767d39f7c0ff04921f8dbd4559c59e8cb7bddbc7c7776f97a25b82615e51
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5843ec06828433daa205ac5650dc9621fa518283d778a2b78d249bb959bcfbda
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9D31B3717007059BEB249F24EC89F2A7BA8AF45B20F144618FE15EB2D4DB74EC04DA52
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F84280 Relevance: 15.1, APIs: 3, Strings: 7, Instructions: 133COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • NWebAdvisor::CHttpTransaction::Connect, xrefs: 00F843D8
                                                                                                                                                                                                                                          • NWebAdvisor::CHttpTransaction::SetAutoProxy, xrefs: 00F84325
                                                                                                                                                                                                                                          • NWebAdvisor::CHttpTransaction::SetAutoProxyUrl, xrefs: 00F84388
                                                                                                                                                                                                                                          • Unable to set proxy option, error: %d, xrefs: 00F843CE
                                                                                                                                                                                                                                          • # SetAutoProxyUrl: Can't get proxy. Err: %d, xrefs: 00F84381
                                                                                                                                                                                                                                          • # SetAutoProxy: Can't get proxy. Err: %d, xrefs: 00F8431E
                                                                                                                                                                                                                                          • c:\jenkins\workspace\mer_WebAdvisor_XMLUpdater_master\src\XmlUpdater\HttpTransaction_sacore.cpp, xrefs: 00F8432A, 00F8438D, 00F843DD
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ErrorLast
                                                                                                                                                                                                                                          • String ID: # SetAutoProxy: Can't get proxy. Err: %d$# SetAutoProxyUrl: Can't get proxy. Err: %d$NWebAdvisor::CHttpTransaction::Connect$NWebAdvisor::CHttpTransaction::SetAutoProxy$NWebAdvisor::CHttpTransaction::SetAutoProxyUrl$Unable to set proxy option, error: %d$c:\jenkins\workspace\mer_WebAdvisor_XMLUpdater_master\src\XmlUpdater\HttpTransaction_sacore.cpp
                                                                                                                                                                                                                                          • API String ID: 1452528299-2881327693
                                                                                                                                                                                                                                          • Opcode ID: 16b178078f6236f6bd80ebc49037ab6748c63e2b989015bab767365016488745
                                                                                                                                                                                                                                          • Instruction ID: 404cab62c2a222056cfff349e9046167448fe2a3c9bccd180bb4d0fd493613df
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 16b178078f6236f6bd80ebc49037ab6748c63e2b989015bab767365016488745
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4B416071E4031AAFEB20DFA4CC45BEEB7F8FF08714F108119E914A6280D7B5A954EB65
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00FAE00A Relevance: 14.5, APIs: 1, Strings: 7, Instructions: 496COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: __aulldvrm
                                                                                                                                                                                                                                          • String ID: :$f$f$f$p$p$p
                                                                                                                                                                                                                                          • API String ID: 1302938615-1434680307
                                                                                                                                                                                                                                          • Opcode ID: cea7733dabf86bc5c6ea0c60d40b02c71f29b3b5f468f1def6264aa648266a2d
                                                                                                                                                                                                                                          • Instruction ID: 7b8059e7007a8940c3b879153be30e9dbc3a431954015299304bc5794c948aca
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cea7733dabf86bc5c6ea0c60d40b02c71f29b3b5f468f1def6264aa648266a2d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E40280F6E00219DEDF20CFA4D8446EDBBB6FB46B14FA88115D415BB280D7705E88EB25
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00FA6940 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 325COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • __EH_prolog3.LIBCMT ref: 00FA6947
                                                                                                                                                                                                                                            • Part of subcall function 00F5C960: std::_Lockit::_Lockit.LIBCPMT ref: 00F5C995
                                                                                                                                                                                                                                            • Part of subcall function 00F5C960: std::_Lockit::_Lockit.LIBCPMT ref: 00F5C9B7
                                                                                                                                                                                                                                            • Part of subcall function 00F5C960: std::_Lockit::~_Lockit.LIBCPMT ref: 00F5C9D7
                                                                                                                                                                                                                                            • Part of subcall function 00F5C960: std::_Lockit::~_Lockit.LIBCPMT ref: 00F5CAB1
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
                                                                                                                                                                                                                                          • String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
                                                                                                                                                                                                                                          • API String ID: 1383202999-2891247106
                                                                                                                                                                                                                                          • Opcode ID: c1af9f5e8442bf3f362c1506327d9540b3ae5f06760ad7e441e25fb9e1c7bd3f
                                                                                                                                                                                                                                          • Instruction ID: f6c89c32b7c6a40b6121d881ef88a8126721c63b7c8636818144ad5edfe33d9a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c1af9f5e8442bf3f362c1506327d9540b3ae5f06760ad7e441e25fb9e1c7bd3f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 04B18DF290010AABDF19DF68CD55EBE3BB9EF56324F084119FA42E6251D635DA10FB20
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F80C80 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 244fileCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00000000,?,?,4638DA1B,00000000), ref: 00F80E20
                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00F80E2E
                                                                                                                                                                                                                                            • Part of subcall function 00F80FA0: GetModuleHandleW.KERNEL32(kernel32.dll,4638DA1B,000000FF,00000000,00000000,00FDDF30,000000FF), ref: 00F80FE8
                                                                                                                                                                                                                                            • Part of subcall function 00F80FA0: GetProcAddress.KERNEL32(00000000,CreateFileTransactedW), ref: 00F80FF8
                                                                                                                                                                                                                                            • Part of subcall function 00F80FA0: GetLastError.KERNEL32 ref: 00F81058
                                                                                                                                                                                                                                            • Part of subcall function 00F68650: std::locale::_Init.LIBCPMT ref: 00F6882F
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • NWebAdvisor::CCabParser::GetContentFile, xrefs: 00F80D9B, 00F80E3C
                                                                                                                                                                                                                                          • CreateFile failed: %d, xrefs: 00F80E35
                                                                                                                                                                                                                                          • Failed to load cab %s, xrefs: 00F80F05
                                                                                                                                                                                                                                          • NWebAdvisor::CCabParser::LoadCabFile, xrefs: 00F80F0C
                                                                                                                                                                                                                                          • c:\jenkins\workspace\mer_WebAdvisor_XMLUpdater_master\src\XmlUpdater\CabParser.h, xrefs: 00F80DA0, 00F80E41, 00F80F11
                                                                                                                                                                                                                                          • Unable to create destination directory (%d), xrefs: 00F80D94
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ErrorLast$AddressCreateFileHandleInitModuleProcstd::locale::_
                                                                                                                                                                                                                                          • String ID: CreateFile failed: %d$Failed to load cab %s$NWebAdvisor::CCabParser::GetContentFile$NWebAdvisor::CCabParser::LoadCabFile$Unable to create destination directory (%d)$c:\jenkins\workspace\mer_WebAdvisor_XMLUpdater_master\src\XmlUpdater\CabParser.h
                                                                                                                                                                                                                                          • API String ID: 1808632809-3418505487
                                                                                                                                                                                                                                          • Opcode ID: 1e3504c0425bd53cffd8985517a3a0c100ab6871135acd8cc51f490b4a051fd4
                                                                                                                                                                                                                                          • Instruction ID: e45c367b2032251a667d406956064d925bbde1522f7a0278818793cf655d5527
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1e3504c0425bd53cffd8985517a3a0c100ab6871135acd8cc51f490b4a051fd4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D491B171A002089FDB14EFA4CC86BEEB7B4EF04714F60812DF515A7291DB79AA09DB61
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F7E760 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 191encryptionCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • CertGetCertificateContextProperty.CRYPT32(?,00000003,00000000,00000000), ref: 00F7E877
                                                                                                                                                                                                                                          • CertGetCertificateContextProperty.CRYPT32(?,00000003,00000000,00000014), ref: 00F7E8A9
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CertCertificateContextProperty
                                                                                                                                                                                                                                          • String ID: 1.2.840.10045.4.1$1.2.840.10045.4.3$1.2.840.10045.4.3.2$1.2.840.10045.4.3.3$1.2.840.10045.4.3.4
                                                                                                                                                                                                                                          • API String ID: 665277682-3196566809
                                                                                                                                                                                                                                          • Opcode ID: 5dc6d3520d4a0514d0748ba566f1fc07d4c45be8a0130d3747c9a214bcbefcb9
                                                                                                                                                                                                                                          • Instruction ID: b2024f3db2a0f04d2540c58329a81ed2f0b3f0561ec2b503c4942f40259f7972
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5dc6d3520d4a0514d0748ba566f1fc07d4c45be8a0130d3747c9a214bcbefcb9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 06510472E002059BCF249E24DC91BAAB7A5AF19330F1882EBD91D9B252D731ED14E753
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F5E2C0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 168COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: z
                                                                                                                                                                                                                                          • API String ID: 0-1657960367
                                                                                                                                                                                                                                          • Opcode ID: 2d967e532c4bcd4e19ae9a377454514614c2c1e94aa87b660ebaa267d5c318bf
                                                                                                                                                                                                                                          • Instruction ID: 98b88ce411e9db92346aae8e71649fe57217afe595cb1d2a9fa769d319b8df8e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2d967e532c4bcd4e19ae9a377454514614c2c1e94aa87b660ebaa267d5c318bf
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5E519476E002499BEB14DF94DC84FEEB7B9FB44325F100169EA05A7280D7759E48EBA0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F4A6B6 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 135COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,4638DA1B,?,?), ref: 00F4A531
                                                                                                                                                                                                                                          • __Mtx_unlock.LIBCPMT ref: 00F4A73D
                                                                                                                                                                                                                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F4A7AC
                                                                                                                                                                                                                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F4A989
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Ios_base_dtorstd::ios_base::_$Mtx_unlockMultipleObjectsWait
                                                                                                                                                                                                                                          • String ID: Event string is empty$Unexpected return value: $`
                                                                                                                                                                                                                                          • API String ID: 1703231451-782899158
                                                                                                                                                                                                                                          • Opcode ID: 6418f0f7e234876285fdfeb456108430e3f8e51b8c961ae9a033eba69cea1edc
                                                                                                                                                                                                                                          • Instruction ID: 8b50c6cba836aceec6a93b4d1544e88220b432742143be531a58dd9e0dec8ac2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6418f0f7e234876285fdfeb456108430e3f8e51b8c961ae9a033eba69cea1edc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 39510670D052089BEF18EFA4CC89BDCBB75FF54320F104288E9155B2D2DB785A85EB12
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F7C600 Relevance: 12.2, APIs: 8, Instructions: 240COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • std::locale::_Init.LIBCPMT ref: 00F7C641
                                                                                                                                                                                                                                            • Part of subcall function 00F93084: __EH_prolog3.LIBCMT ref: 00F9308B
                                                                                                                                                                                                                                            • Part of subcall function 00F93084: std::_Lockit::_Lockit.LIBCPMT ref: 00F93096
                                                                                                                                                                                                                                            • Part of subcall function 00F93084: std::locale::_Setgloballocale.LIBCPMT ref: 00F930B1
                                                                                                                                                                                                                                            • Part of subcall function 00F93084: std::_Lockit::~_Lockit.LIBCPMT ref: 00F93107
                                                                                                                                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00F7C6CB
                                                                                                                                                                                                                                          • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00F7C713
                                                                                                                                                                                                                                          • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00F7C748
                                                                                                                                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00F7C7DD
                                                                                                                                                                                                                                            • Part of subcall function 00FAE960: _free.LIBCMT ref: 00FAE973
                                                                                                                                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00F7C82B
                                                                                                                                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00F7C84C
                                                                                                                                                                                                                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00F7C85B
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_std::locale::_$Locinfo::_$AddfacH_prolog3InitLocimp::_Locimp_Locinfo_ctorLocinfo_dtorSetgloballocale_free
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3887427400-0
                                                                                                                                                                                                                                          • Opcode ID: a3f521050c375a26f131dcadb022652daeb2cc62697f14f910d6c1e91d4bcf25
                                                                                                                                                                                                                                          • Instruction ID: 524053dc6d11929601d7b9224ab72d4b74058c0e9dd2d914973e734e195f072c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a3f521050c375a26f131dcadb022652daeb2cc62697f14f910d6c1e91d4bcf25
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E7A18EB0D00345DFEB20DFA5C845B9EBBF4BF04304F14451EE849A7691EB79AA44DB92
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00FCA764 Relevance: 12.2, APIs: 8, Instructions: 203COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _free$___from_strstr_to_strchr
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3409252457-0
                                                                                                                                                                                                                                          • Opcode ID: f49797f846efc96f274d5460c51ac159b22e345fbe0b2deeb7d7a7ca7bac360b
                                                                                                                                                                                                                                          • Instruction ID: 3fe2d7b51bc9b790812903c2b4eed25127ed560d7354644130f0ccc0c7cb7627
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f49797f846efc96f274d5460c51ac159b22e345fbe0b2deeb7d7a7ca7bac360b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 01514B71D0020FAFDB21AF748E43F6D77A4EF01368F1581AEE55197281EB39A904EB52
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F58690 Relevance: 12.2, APIs: 8, Instructions: 172COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00FA987E: EnterCriticalSection.KERNEL32(010277A0,?,00000001,?,00F586A7,00000000,?,00000001,?,00000000,?,?,00F5C338,-00000010), ref: 00FA9889
                                                                                                                                                                                                                                            • Part of subcall function 00FA987E: LeaveCriticalSection.KERNEL32(010277A0,?,00F586A7,00000000,?,00000001,?,00000000,?,?,00F5C338,-00000010,?,?,?,4638DA1B), ref: 00FA98B5
                                                                                                                                                                                                                                          • FindResourceExW.KERNEL32(00000000,00000006,?,00000000,00000000), ref: 00F586D6
                                                                                                                                                                                                                                          • LoadResource.KERNEL32(00000000,00000000), ref: 00F586E4
                                                                                                                                                                                                                                          • LockResource.KERNEL32(00000000), ref: 00F586EF
                                                                                                                                                                                                                                          • SizeofResource.KERNEL32(00000000,00000000), ref: 00F586FD
                                                                                                                                                                                                                                          • FindResourceW.KERNEL32(00000000,?,00000006), ref: 00F58764
                                                                                                                                                                                                                                          • LoadResource.KERNEL32(00000000,00000000), ref: 00F58776
                                                                                                                                                                                                                                          • LockResource.KERNEL32(00000000), ref: 00F58785
                                                                                                                                                                                                                                          • SizeofResource.KERNEL32(00000000,00000000), ref: 00F58797
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Resource$CriticalFindLoadLockSectionSizeof$EnterLeave
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 506522749-0
                                                                                                                                                                                                                                          • Opcode ID: 7c6905f52b46a62acc6166ed3e91fa162b346802751b9cc2515f7c4f278ce90b
                                                                                                                                                                                                                                          • Instruction ID: b7b9c259f4f9f9a2dc7c035b0aeff8ce7da65356d1c57abb65f9ea615c7b67d2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7c6905f52b46a62acc6166ed3e91fa162b346802751b9cc2515f7c4f278ce90b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BE410A71A042159BD7209F18AC846BBB7E8EF94792F10052DFE56A7241EF34DC0AE6A1
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00FC087D Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 264COMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00FC1CA9: GetLastError.KERNEL32(00000008,00000016,00000000,00FC4E01), ref: 00FC1CAE
                                                                                                                                                                                                                                            • Part of subcall function 00FC1CA9: SetLastError.KERNEL32(00000000,00000006,000000FF), ref: 00FC1D4C
                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00FC0B8A
                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00FC0BA3
                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00FC0BE1
                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00FC0BEA
                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00FC0BF6
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _free$ErrorLast
                                                                                                                                                                                                                                          • String ID: C
                                                                                                                                                                                                                                          • API String ID: 3291180501-1037565863
                                                                                                                                                                                                                                          • Opcode ID: 727da08dc304dfe4c6750de1a3b3267b2d6796498ba342e127d457680572e6a9
                                                                                                                                                                                                                                          • Instruction ID: 1a9ae781ee32eef748b9daaf834fdebacf2b09bca7a6dbd4e02894569ad87ff5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 727da08dc304dfe4c6750de1a3b3267b2d6796498ba342e127d457680572e6a9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0CB13675A0121ADBDB24DF28C985FA9B7B4FB48314F1045EEE84AA7351DB34AE81DF40
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F5C960 Relevance: 10.6, APIs: 7, Instructions: 116COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00F5C995
                                                                                                                                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00F5C9B7
                                                                                                                                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00F5C9D7
                                                                                                                                                                                                                                          • __Getctype.LIBCPMT ref: 00F5CA70
                                                                                                                                                                                                                                          • std::_Locinfo::~_Locinfo.LIBCPMT ref: 00F5CA82
                                                                                                                                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 00F5CA8F
                                                                                                                                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00F5CAB1
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeLocinfoLocinfo::~_Register
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3947131827-0
                                                                                                                                                                                                                                          • Opcode ID: eea8a18a3604cc1d668fd5c585482739ae0ba80ce61378cf4b95063c633deb05
                                                                                                                                                                                                                                          • Instruction ID: 3e08f7cbb445988dc8609b0ebb7dea8eb13778751af2456e37a6073a858edbe4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: eea8a18a3604cc1d668fd5c585482739ae0ba80ce61378cf4b95063c633deb05
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B641BE71D002488FDF25DF58C851BAEBBB4FF54314F204159E85AAB251DB39AA0AEB81
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F4A550 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 112COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00F39BB0: InitOnceBeginInitialize.KERNEL32(010280C4,00000000,4638DA1B,00000000,4638DA1B,00F3A219,010280CC,?,?,?,?,?,?,00F3A219,?,?), ref: 00F39BE5
                                                                                                                                                                                                                                            • Part of subcall function 00F39BB0: InitOnceComplete.KERNEL32(010280C4,00000000,00000000), ref: 00F39C1D
                                                                                                                                                                                                                                            • Part of subcall function 00F39940: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F39A12
                                                                                                                                                                                                                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,4638DA1B,?,?), ref: 00F4A531
                                                                                                                                                                                                                                          • __Mtx_unlock.LIBCPMT ref: 00F4A58B
                                                                                                                                                                                                                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F4A989
                                                                                                                                                                                                                                          • __Mtx_unlock.LIBCPMT ref: 00F4A99D
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • Unexpected return value: , xrefs: 00F4A8CC
                                                                                                                                                                                                                                          • Thread signalled when event queue is empty, xrefs: 00F4A614
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: InitIos_base_dtorMtx_unlockOncestd::ios_base::_$BeginCompleteInitializeMultipleObjectsWait
                                                                                                                                                                                                                                          • String ID: Thread signalled when event queue is empty$Unexpected return value:
                                                                                                                                                                                                                                          • API String ID: 3324347728-3645029203
                                                                                                                                                                                                                                          • Opcode ID: 265c0cd340511a5345813de10664acdebf6544ecf9315c972edc179b8983f244
                                                                                                                                                                                                                                          • Instruction ID: 55022c8c97b1385c5c89012ba9bdac9f36fe16c49994dbbc42b41a3e6997e440
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 265c0cd340511a5345813de10664acdebf6544ecf9315c972edc179b8983f244
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5441D3B1D012589AEF14EFA0CD497DDBB74BF50320F104298E805672C1DB785B85EF52
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00FC416A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: api-ms-$ext-ms-
                                                                                                                                                                                                                                          • API String ID: 0-537541572
                                                                                                                                                                                                                                          • Opcode ID: 4682a251fcc4388cd3a1283e387bf608724c7dfbfab4775ed1b986c11f60b517
                                                                                                                                                                                                                                          • Instruction ID: f2d8ee22fff08e0f176df147012478364fe5f5dd17ecfd430f70410fab1ebd10
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4682a251fcc4388cd3a1283e387bf608724c7dfbfab4775ed1b986c11f60b517
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 14210872E41213ABDB328A249E97F5A37589F11770F150118FD55EB2D1D630FC00E5E0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00FA809D Relevance: 9.2, APIs: 6, Instructions: 224COMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetCPInfo.KERNEL32(?,?,?,?,?), ref: 00FA8128
                                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00FA81B6
                                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00FA8228
                                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00FA8242
                                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00FA82A5
                                                                                                                                                                                                                                          • CompareStringEx.KERNEL32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 00FA82C2
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ByteCharMultiWide$CompareInfoString
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2984826149-0
                                                                                                                                                                                                                                          • Opcode ID: 5953db23d692ff0c8b9e903e3891acfef34cba1c39996c81fb05a23bd0392915
                                                                                                                                                                                                                                          • Instruction ID: c1797645a7d6a09207a3e4c6fe62d98623bbd4c88b818668ab8ed5f76012e0af
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5953db23d692ff0c8b9e903e3891acfef34cba1c39996c81fb05a23bd0392915
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D27192B2D0064A9EDF219FA4CC41BFF7BB6AF463A0F144119E845A7150DFB58842E760
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F968B8 Relevance: 9.2, APIs: 6, Instructions: 175COMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 00F96901
                                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 00F9696C
                                                                                                                                                                                                                                          • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00F96989
                                                                                                                                                                                                                                          • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00F969C8
                                                                                                                                                                                                                                          • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00F96A27
                                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00F96A4A
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ByteCharMultiStringWide
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2829165498-0
                                                                                                                                                                                                                                          • Opcode ID: f2a4c3776dd16da265c029b5d0cfd6d8d9e17c083480001e919fd14266dae337
                                                                                                                                                                                                                                          • Instruction ID: 63b5934652f25211b1b516e68fedb68ae7ce7c846d1c519901821656b11a1301
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f2a4c3776dd16da265c029b5d0cfd6d8d9e17c083480001e919fd14266dae337
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AB518E72D0021AAFEF209F64CD45FAB7BA9EF45B60F148429F914EA150E739DD10EB60
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F3E790 Relevance: 9.1, APIs: 6, Instructions: 130COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000001,?,00000000), ref: 00F3E7D7
                                                                                                                                                                                                                                          • GetSecurityDescriptorDacl.ADVAPI32(00000000,00000000,00000000,?), ref: 00F3E811
                                                                                                                                                                                                                                          • SetNamedSecurityInfoW.ADVAPI32(00000000,00000001,00000004,00000000,00000000,00000000,00000000,?), ref: 00F3E86D
                                                                                                                                                                                                                                          • LocalFree.KERNEL32(00000000), ref: 00F3E8C7
                                                                                                                                                                                                                                          • LocalFree.KERNEL32(00000000), ref: 00F3E8DC
                                                                                                                                                                                                                                          • LocalFree.KERNEL32(00000000), ref: 00F3E917
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Security$DescriptorFreeLocal$ConvertDaclInfoNamedString
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2792426717-0
                                                                                                                                                                                                                                          • Opcode ID: acefbd017db6bebb5b3793259e5b2d289bcacefaeec3b8178c2a3ff23de7de9c
                                                                                                                                                                                                                                          • Instruction ID: ed518748a6f638a727596434aab68114c0bf56f52e8a32068f10363f372875d7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: acefbd017db6bebb5b3793259e5b2d289bcacefaeec3b8178c2a3ff23de7de9c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1A416F71E01248EBEF10CFA4DD89BDEB7B9EF04724F200129F901A6290D7799A48DB60
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F38D10 Relevance: 9.1, APIs: 6, Instructions: 128COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00F38D46
                                                                                                                                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00F38D66
                                                                                                                                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00F38D86
                                                                                                                                                                                                                                          • std::_Locinfo::~_Locinfo.LIBCPMT ref: 00F38E57
                                                                                                                                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 00F38E64
                                                                                                                                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00F38E86
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_LocinfoLocinfo::~_Register
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2966223926-0
                                                                                                                                                                                                                                          • Opcode ID: 97f6655015691beecc6abb254670b7f9613385453ed7dcb47ff830a3bb218d9b
                                                                                                                                                                                                                                          • Instruction ID: 225e693212e79234f2a811ba6aa725bcc0430f17b7b5291ca692b382efc89a7a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 97f6655015691beecc6abb254670b7f9613385453ed7dcb47ff830a3bb218d9b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7B41DD71900205CBDF21DF95C881BAEBBB0FF50364F24415AE406AB281DF79AA0ADB81
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F98298 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • __EH_prolog3.LIBCMT ref: 00F9829F
                                                                                                                                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00F982A9
                                                                                                                                                                                                                                            • Part of subcall function 00F32D14: std::_Lockit::_Lockit.LIBCPMT ref: 00F32D30
                                                                                                                                                                                                                                            • Part of subcall function 00F32D14: std::_Lockit::~_Lockit.LIBCPMT ref: 00F32D4C
                                                                                                                                                                                                                                          • moneypunct.LIBCPMT ref: 00F982E3
                                                                                                                                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 00F982FA
                                                                                                                                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00F9831A
                                                                                                                                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 00F98327
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermoneypunct
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3376033448-0
                                                                                                                                                                                                                                          • Opcode ID: 021a0c5d56d75020fbdaa5d0e2111436ba5ed1ec21163798a482c857843b4746
                                                                                                                                                                                                                                          • Instruction ID: d6f42830f5c155238fa0fdd5a5d6e5a38f58a34197310c049037e84b32561be8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 021a0c5d56d75020fbdaa5d0e2111436ba5ed1ec21163798a482c857843b4746
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E401C0319001199FDF14EBA4DC42ABEBBB1BF54764F284009E811AB381CF789E06EB91
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F98203 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • __EH_prolog3.LIBCMT ref: 00F9820A
                                                                                                                                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00F98214
                                                                                                                                                                                                                                            • Part of subcall function 00F32D14: std::_Lockit::_Lockit.LIBCPMT ref: 00F32D30
                                                                                                                                                                                                                                            • Part of subcall function 00F32D14: std::_Lockit::~_Lockit.LIBCPMT ref: 00F32D4C
                                                                                                                                                                                                                                          • moneypunct.LIBCPMT ref: 00F9824E
                                                                                                                                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 00F98265
                                                                                                                                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00F98285
                                                                                                                                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 00F98292
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermoneypunct
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3376033448-0
                                                                                                                                                                                                                                          • Opcode ID: 2b0ad7d908ceca82c22b97f84a23f7ef63d5d5ca34308fa9dec14f4f2f3a9823
                                                                                                                                                                                                                                          • Instruction ID: 3ead4bd32663387b77ea96e9a80e65d7f6058be6f705e8089b9c85114cd63a07
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2b0ad7d908ceca82c22b97f84a23f7ef63d5d5ca34308fa9dec14f4f2f3a9823
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D701C0319001199BDF04EBA8DC42AAE7775BF90364F284509F811AB381CF789E01A790
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F983C2 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • __EH_prolog3.LIBCMT ref: 00F983C9
                                                                                                                                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00F983D3
                                                                                                                                                                                                                                            • Part of subcall function 00F32D14: std::_Lockit::_Lockit.LIBCPMT ref: 00F32D30
                                                                                                                                                                                                                                            • Part of subcall function 00F32D14: std::_Lockit::~_Lockit.LIBCPMT ref: 00F32D4C
                                                                                                                                                                                                                                          • moneypunct.LIBCPMT ref: 00F9840D
                                                                                                                                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 00F98424
                                                                                                                                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00F98444
                                                                                                                                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 00F98451
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermoneypunct
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3376033448-0
                                                                                                                                                                                                                                          • Opcode ID: ecd4ab1a5f6083ce10f7713bbc08831c98bb84528dc5af17f5fa85b63f19fa6c
                                                                                                                                                                                                                                          • Instruction ID: 223d2101dfcbc57f6b66e90a3658411e83dedbfd5ac7463a1becb9ad9d5e34fc
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ecd4ab1a5f6083ce10f7713bbc08831c98bb84528dc5af17f5fa85b63f19fa6c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9301D271D0012A9BDF14EB68CC42ABE77B5BF90360F240109F811AB381DF789E02AB91
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F9435B Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • __EH_prolog3.LIBCMT ref: 00F94362
                                                                                                                                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00F9436C
                                                                                                                                                                                                                                            • Part of subcall function 00F32D14: std::_Lockit::_Lockit.LIBCPMT ref: 00F32D30
                                                                                                                                                                                                                                            • Part of subcall function 00F32D14: std::_Lockit::~_Lockit.LIBCPMT ref: 00F32D4C
                                                                                                                                                                                                                                          • codecvt.LIBCPMT ref: 00F943A6
                                                                                                                                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 00F943BD
                                                                                                                                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00F943DD
                                                                                                                                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 00F943EA
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2133458128-0
                                                                                                                                                                                                                                          • Opcode ID: 352a789a187f4237ee0898ee5e491a2e1d5fbb329b8f719486ab60f2635e2fe0
                                                                                                                                                                                                                                          • Instruction ID: 2c6dafd059c251b18a3d1398e9251fe9eacff6ec85b70ddbbce9a3d5f8cb12cb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 352a789a187f4237ee0898ee5e491a2e1d5fbb329b8f719486ab60f2635e2fe0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8901AD359001199BDF05FBA4D842EAE7765BF60720F240109F415AB281CF78AA06AB91
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F9832D Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • __EH_prolog3.LIBCMT ref: 00F98334
                                                                                                                                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00F9833E
                                                                                                                                                                                                                                            • Part of subcall function 00F32D14: std::_Lockit::_Lockit.LIBCPMT ref: 00F32D30
                                                                                                                                                                                                                                            • Part of subcall function 00F32D14: std::_Lockit::~_Lockit.LIBCPMT ref: 00F32D4C
                                                                                                                                                                                                                                          • moneypunct.LIBCPMT ref: 00F98378
                                                                                                                                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 00F9838F
                                                                                                                                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00F983AF
                                                                                                                                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 00F983BC
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermoneypunct
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3376033448-0
                                                                                                                                                                                                                                          • Opcode ID: 79e59088b235641420cdd913699d00993ec33595cd93ad9fe7435af2d6351b03
                                                                                                                                                                                                                                          • Instruction ID: edb7cf27c0f283684c8bf86086714217a6833aeab0790b1ba6ffcf310b122ecc
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 79e59088b235641420cdd913699d00993ec33595cd93ad9fe7435af2d6351b03
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5201C0719001199BDF14EB64CC42ABE77B5BF51760F240009F810AB381CF789E02AB91
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00FA4475 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • __EH_prolog3.LIBCMT ref: 00FA447C
                                                                                                                                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00FA4486
                                                                                                                                                                                                                                            • Part of subcall function 00F32D14: std::_Lockit::_Lockit.LIBCPMT ref: 00F32D30
                                                                                                                                                                                                                                            • Part of subcall function 00F32D14: std::_Lockit::~_Lockit.LIBCPMT ref: 00F32D4C
                                                                                                                                                                                                                                          • collate.LIBCPMT ref: 00FA44C0
                                                                                                                                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 00FA44D7
                                                                                                                                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00FA44F7
                                                                                                                                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 00FA4504
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercollate
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1767075461-0
                                                                                                                                                                                                                                          • Opcode ID: a6e665b7828c0cdd678f678aa6e581e035b2313e5de4340cca7137e1494dd338
                                                                                                                                                                                                                                          • Instruction ID: 7065a1a2011f0a58e614360ec89f7fcf245d0ffea3bc7dbe414eb1236e3a859a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a6e665b7828c0cdd678f678aa6e581e035b2313e5de4340cca7137e1494dd338
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1C01C0B5D001199BCB05EB64DC42AAE7771BF95720F244409FC11AB3C2CFB8AE01AB90
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00FA450A Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • __EH_prolog3.LIBCMT ref: 00FA4511
                                                                                                                                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00FA451B
                                                                                                                                                                                                                                            • Part of subcall function 00F32D14: std::_Lockit::_Lockit.LIBCPMT ref: 00F32D30
                                                                                                                                                                                                                                            • Part of subcall function 00F32D14: std::_Lockit::~_Lockit.LIBCPMT ref: 00F32D4C
                                                                                                                                                                                                                                          • messages.LIBCPMT ref: 00FA4555
                                                                                                                                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 00FA456C
                                                                                                                                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00FA458C
                                                                                                                                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 00FA4599
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermessages
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 958335874-0
                                                                                                                                                                                                                                          • Opcode ID: ba3957def959d36909a129746d7a0d412d7e344166f884eb5b8921ddd0b75bb4
                                                                                                                                                                                                                                          • Instruction ID: c52309ce003b8d132ec9b9a4a6bf024836c451f400570fda4696f7ccd17d1b31
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ba3957def959d36909a129746d7a0d412d7e344166f884eb5b8921ddd0b75bb4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 670180B5D001299FCB15EB64DC42ABE7775BF95720F28050AF811AB381CFB8AE01A791
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00FA46C9 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • __EH_prolog3.LIBCMT ref: 00FA46D0
                                                                                                                                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00FA46DA
                                                                                                                                                                                                                                            • Part of subcall function 00F32D14: std::_Lockit::_Lockit.LIBCPMT ref: 00F32D30
                                                                                                                                                                                                                                            • Part of subcall function 00F32D14: std::_Lockit::~_Lockit.LIBCPMT ref: 00F32D4C
                                                                                                                                                                                                                                          • moneypunct.LIBCPMT ref: 00FA4714
                                                                                                                                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 00FA472B
                                                                                                                                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00FA474B
                                                                                                                                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 00FA4758
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermoneypunct
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3376033448-0
                                                                                                                                                                                                                                          • Opcode ID: 062cf97b128bb08215f2b8ecc263b20468f56b9182fe98c9bafb67f7cfa21973
                                                                                                                                                                                                                                          • Instruction ID: 1f0418f7eeaedb160990b03dd5439d016dd4fc1f63e54078731e8be7c7a23aa1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 062cf97b128bb08215f2b8ecc263b20468f56b9182fe98c9bafb67f7cfa21973
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D701D275D001599BCB14EB64CC42ABE77B5BF91330F250009F824AB381CFB8AE01EB91
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F98616 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • __EH_prolog3.LIBCMT ref: 00F9861D
                                                                                                                                                                                                                                          • numpunct.LIBCPMT ref: 00F98661
                                                                                                                                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 00F98678
                                                                                                                                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00F98698
                                                                                                                                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 00F986A5
                                                                                                                                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00F98627
                                                                                                                                                                                                                                            • Part of subcall function 00F32D14: std::_Lockit::_Lockit.LIBCPMT ref: 00F32D30
                                                                                                                                                                                                                                            • Part of subcall function 00F32D14: std::_Lockit::~_Lockit.LIBCPMT ref: 00F32D4C
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registernumpunct
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3064348918-0
                                                                                                                                                                                                                                          • Opcode ID: b97f05a244113b07457e950873922eeaf4990a192018ab040e1280329a2491ca
                                                                                                                                                                                                                                          • Instruction ID: 2fa5485fecacf0110904e90136fb08071158bb480f8cd4a2555804c57038444c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b97f05a244113b07457e950873922eeaf4990a192018ab040e1280329a2491ca
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1401C0719002199BDF04EBA4CC46AAE7771BF90764F240009E914AB2C1DFB99E02AB90
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00FA475E Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • __EH_prolog3.LIBCMT ref: 00FA4765
                                                                                                                                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00FA476F
                                                                                                                                                                                                                                            • Part of subcall function 00F32D14: std::_Lockit::_Lockit.LIBCPMT ref: 00F32D30
                                                                                                                                                                                                                                            • Part of subcall function 00F32D14: std::_Lockit::~_Lockit.LIBCPMT ref: 00F32D4C
                                                                                                                                                                                                                                          • moneypunct.LIBCPMT ref: 00FA47A9
                                                                                                                                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 00FA47C0
                                                                                                                                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00FA47E0
                                                                                                                                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 00FA47ED
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermoneypunct
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3376033448-0
                                                                                                                                                                                                                                          • Opcode ID: 0e5fbc06508ba718289cb4f6568a3cd0e3f996ee72264fb7e7d262838fbd3a54
                                                                                                                                                                                                                                          • Instruction ID: fc6e05e63ba31b2133de7299f728bfc82b5bd2f5a9f733ade1c5a0b178143bc4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0e5fbc06508ba718289cb4f6568a3cd0e3f996ee72264fb7e7d262838fbd3a54
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C701D275D1011A9BCB14EF64DC42ABE7771BF91724F240109F811AB381CFB8AE01EB91
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F5C410 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 132COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 00F5C546
                                                                                                                                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 00F5C54B
                                                                                                                                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 00F5C550
                                                                                                                                                                                                                                            • Part of subcall function 00FAE960: _free.LIBCMT ref: 00FAE973
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Concurrency::cancel_current_task$_free
                                                                                                                                                                                                                                          • String ID: false$true
                                                                                                                                                                                                                                          • API String ID: 149343396-2658103896
                                                                                                                                                                                                                                          • Opcode ID: 860043faba6aecbd77e7c4e9ce6207ec70b26af14d10a43b00fba51f46d440fd
                                                                                                                                                                                                                                          • Instruction ID: 113449445429f6a92b00be914dd573955898f2cc34298f2b391975312f6ec1da
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 860043faba6aecbd77e7c4e9ce6207ec70b26af14d10a43b00fba51f46d440fd
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 194124759003409FDB21EF64DC41BAABBF4EF06310F08855DE9469B742E77AE909DBA0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00FAD1B7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000,?,?,?,00FAD278,?,?,010277FC,00000000,?,00FAD3A3,00000004,InitializeCriticalSectionEx,0100013C,01000144,00000000), ref: 00FAD247
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: FreeLibrary
                                                                                                                                                                                                                                          • String ID: api-ms-
                                                                                                                                                                                                                                          • API String ID: 3664257935-2084034818
                                                                                                                                                                                                                                          • Opcode ID: 0d2336c3c1f2719c3c60109407da3cdf54bf1f7f2cd5c1bd98e631707b700880
                                                                                                                                                                                                                                          • Instruction ID: 7fc2f5b404a6c8b27ba6b9123617ce3c67322692de259f909912be2645db695c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0d2336c3c1f2719c3c60109407da3cdf54bf1f7f2cd5c1bd98e631707b700880
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B411CA72E41125ABDB228B68AC41B5937E4AF03770F250150FD42EB5C4D770ED00E7D1
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F5E150 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registrylibraryloaderCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 00F5E172
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00F5E182
                                                                                                                                                                                                                                          • RegDeleteKeyW.ADVAPI32(00000000,?), ref: 00F5E1C2
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AddressDeleteHandleModuleProc
                                                                                                                                                                                                                                          • String ID: Advapi32.dll$RegDeleteKeyExW
                                                                                                                                                                                                                                          • API String ID: 588496660-2191092095
                                                                                                                                                                                                                                          • Opcode ID: cc8c7d413f7da11e2e9264a7d30a6aa105f09a3fb0eb9656eb0136cca3b0cdef
                                                                                                                                                                                                                                          • Instruction ID: f77844d0ac8dc89a0d8d48e0789c3579136b81600896ce879654edc86f8fbe3d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cc8c7d413f7da11e2e9264a7d30a6aa105f09a3fb0eb9656eb0136cca3b0cdef
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D601B532644644DBD7314A5AFC04B62BBA9AB90B22F14402BEB49C2150C3B79544EB61
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F811F0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 39fileCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00F81210
                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00F8121A
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • WriteFile failed: %d, xrefs: 00F81221
                                                                                                                                                                                                                                          • c:\jenkins\workspace\mer_WebAdvisor_XMLUpdater_master\src\XmlUpdater\CabParser.h, xrefs: 00F8122D
                                                                                                                                                                                                                                          • NWebAdvisor::CCabParser::Write, xrefs: 00F81228
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ErrorFileLastWrite
                                                                                                                                                                                                                                          • String ID: NWebAdvisor::CCabParser::Write$WriteFile failed: %d$c:\jenkins\workspace\mer_WebAdvisor_XMLUpdater_master\src\XmlUpdater\CabParser.h
                                                                                                                                                                                                                                          • API String ID: 442123175-2264278858
                                                                                                                                                                                                                                          • Opcode ID: 6c8db2c9f9486791f82303f3b3c23185ce91d0b64f7f2e51097b591e7398f887
                                                                                                                                                                                                                                          • Instruction ID: 828f2aeb5950867a8f200cd60242bf420835e9f7e1a67fd341f26fe594b779fd
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6c8db2c9f9486791f82303f3b3c23185ce91d0b64f7f2e51097b591e7398f887
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D3F0A43170020CBFDB00EF64DC42F7EB7A4EF58B04F400159BA059A191D9B59A55E751
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F608A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37libraryloaderCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(kernel32), ref: 00F608A9
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00F608C0
                                                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(?), ref: 00F608D7
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AddressCurrentHandleModuleProcProcess
                                                                                                                                                                                                                                          • String ID: IsWow64Process$kernel32
                                                                                                                                                                                                                                          • API String ID: 4190356694-3789238822
                                                                                                                                                                                                                                          • Opcode ID: 7bcbcca415a2f354171ad7dd5d57294d718f010ea31fdbfb8c4fc7120ce4a7af
                                                                                                                                                                                                                                          • Instruction ID: 91f1f7958872a11deb4693cd62266fb5272117edb8667f8f84cf9808558f07a7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7bcbcca415a2f354171ad7dd5d57294d718f010ea31fdbfb8c4fc7120ce4a7af
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1FF0A732D4131CABDE109BB1BC09AEB779CDF01765F1049D5EC0897200EA718E14A6D1
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00FBE940 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,00FBE935,?,?,00FBE8FD,00000002,00000002,?), ref: 00FBE955
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00FBE968
                                                                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000,?,?,00FBE935,?,?,00FBE8FD,00000002,00000002,?), ref: 00FBE98B
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                                          • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                                          • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                                          • Opcode ID: 6311a9e038f403203422b87b12cd7fe2e90871fd478ff3e3cfc484e1cf4d05b1
                                                                                                                                                                                                                                          • Instruction ID: e32ac17484468a38069889beefe2b86e7c7fb126c247c7e5395d924da6da8b68
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6311a9e038f403203422b87b12cd7fe2e90871fd478ff3e3cfc484e1cf4d05b1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7CF08C31A5021CFBDB129B52ED49FDDBE78EF00B65F000064F504A60A0CBB08E04FA91
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00FC03F2 Relevance: 7.7, APIs: 5, Instructions: 186COMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00FC2174: RtlAllocateHeap.NTDLL(00000000,?,?,?,00FA872D,?,?,00F3A1ED,0000002C,4638DA1B), ref: 00FC21A6
                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00FC0501
                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00FC0518
                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00FC0535
                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00FC0550
                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00FC0567
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _free$AllocateHeap
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3033488037-0
                                                                                                                                                                                                                                          • Opcode ID: e6fe75a760ee48487e1dd8eb1bd8ebc8e309f8fccbfd98a1bcbc578fad1b4b5f
                                                                                                                                                                                                                                          • Instruction ID: 2c93bd684d151915b43f1994c1735f252d8cf4e3b9fcafb93626972410c7d8e7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e6fe75a760ee48487e1dd8eb1bd8ebc8e309f8fccbfd98a1bcbc578fad1b4b5f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8E517B72A00706EFDB25DF29DE42F6A77F4EB48720B14096DE545D7290EB35EA02EB40
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F943F0 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • __EH_prolog3.LIBCMT ref: 00F943F7
                                                                                                                                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00F94401
                                                                                                                                                                                                                                            • Part of subcall function 00F32D14: std::_Lockit::_Lockit.LIBCPMT ref: 00F32D30
                                                                                                                                                                                                                                            • Part of subcall function 00F32D14: std::_Lockit::~_Lockit.LIBCPMT ref: 00F32D4C
                                                                                                                                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 00F94452
                                                                                                                                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00F94472
                                                                                                                                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 00F9447F
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 55977855-0
                                                                                                                                                                                                                                          • Opcode ID: 19268407d46302bfac06e1e621618eb4eb0208b0264c77c0fbae79777c3f10f8
                                                                                                                                                                                                                                          • Instruction ID: 9d0e4d2455534e366df98dda39006c38f8e9fa2b286593d2cb73f420af00f46b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 19268407d46302bfac06e1e621618eb4eb0208b0264c77c0fbae79777c3f10f8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5101C075D00129DBDF14EB68CC41AAEB771BFA0720F240009F910AB281DF78AE06AB91
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F980D9 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • __EH_prolog3.LIBCMT ref: 00F980E0
                                                                                                                                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00F980EA
                                                                                                                                                                                                                                            • Part of subcall function 00F32D14: std::_Lockit::_Lockit.LIBCPMT ref: 00F32D30
                                                                                                                                                                                                                                            • Part of subcall function 00F32D14: std::_Lockit::~_Lockit.LIBCPMT ref: 00F32D4C
                                                                                                                                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 00F9813B
                                                                                                                                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00F9815B
                                                                                                                                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 00F98168
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 55977855-0
                                                                                                                                                                                                                                          • Opcode ID: 7f4edd490c007689869b138faa597564fcca530f2504d088d240f01a3c4bdb0d
                                                                                                                                                                                                                                          • Instruction ID: e6de064cb8504b8443e4ca1b4ccaf327f845b3447e4ef93fa556c660e48b1d4a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7f4edd490c007689869b138faa597564fcca530f2504d088d240f01a3c4bdb0d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4401DE31D002299FDF15EB64DC42ABE7B71BF91760F240409E810AB391CF799E42EB90
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F98044 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • __EH_prolog3.LIBCMT ref: 00F9804B
                                                                                                                                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00F98055
                                                                                                                                                                                                                                            • Part of subcall function 00F32D14: std::_Lockit::_Lockit.LIBCPMT ref: 00F32D30
                                                                                                                                                                                                                                            • Part of subcall function 00F32D14: std::_Lockit::~_Lockit.LIBCPMT ref: 00F32D4C
                                                                                                                                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 00F980A6
                                                                                                                                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00F980C6
                                                                                                                                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 00F980D3
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 55977855-0
                                                                                                                                                                                                                                          • Opcode ID: 5381d531ed86b70ea59a3a9ecc2dba3e597eb5cb70eece05d364a649788ee450
                                                                                                                                                                                                                                          • Instruction ID: e3bdae8b7bd36e1b6b483278ff886d709dcc385d0db022e7495a323d90665b55
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5381d531ed86b70ea59a3a9ecc2dba3e597eb5cb70eece05d364a649788ee450
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0401D271D002199BEF15EF64DC42ABEB771BF50760F290009E811AB391DF799E0AA790
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F9816E Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • __EH_prolog3.LIBCMT ref: 00F98175
                                                                                                                                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00F9817F
                                                                                                                                                                                                                                            • Part of subcall function 00F32D14: std::_Lockit::_Lockit.LIBCPMT ref: 00F32D30
                                                                                                                                                                                                                                            • Part of subcall function 00F32D14: std::_Lockit::~_Lockit.LIBCPMT ref: 00F32D4C
                                                                                                                                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 00F981D0
                                                                                                                                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00F981F0
                                                                                                                                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 00F981FD
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 55977855-0
                                                                                                                                                                                                                                          • Opcode ID: a2c31ec7b661df861a41bf2d7a673e0d931fe55d521e2cfd1375270c44720c25
                                                                                                                                                                                                                                          • Instruction ID: dc04c0209cf31eef1b80ec24087227ede54286e6c10e33de6a5c6ac00ce0c8bf
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a2c31ec7b661df861a41bf2d7a673e0d931fe55d521e2cfd1375270c44720c25
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7F01D271D001299BEF15EB68DC42ABEB7B5BF54360F244009E811AB381CF789E42AB90
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F984EC Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • __EH_prolog3.LIBCMT ref: 00F984F3
                                                                                                                                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00F984FD
                                                                                                                                                                                                                                            • Part of subcall function 00F32D14: std::_Lockit::_Lockit.LIBCPMT ref: 00F32D30
                                                                                                                                                                                                                                            • Part of subcall function 00F32D14: std::_Lockit::~_Lockit.LIBCPMT ref: 00F32D4C
                                                                                                                                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 00F9854E
                                                                                                                                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00F9856E
                                                                                                                                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 00F9857B
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 55977855-0
                                                                                                                                                                                                                                          • Opcode ID: fc4f1a393f779afaecb481307f336747d0489f94d4d2bdaff9dab982166568e1
                                                                                                                                                                                                                                          • Instruction ID: 77a32b68f0f02b343695e2472ae38f3bfdb3b6e49fc9561f73ea6aeabcff1418
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fc4f1a393f779afaecb481307f336747d0489f94d4d2bdaff9dab982166568e1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F501C031D001199BDF04EB64DC42AAE77B5BF50370F294409E811AB391CF789E06AB91
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F98457 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • __EH_prolog3.LIBCMT ref: 00F9845E
                                                                                                                                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00F98468
                                                                                                                                                                                                                                            • Part of subcall function 00F32D14: std::_Lockit::_Lockit.LIBCPMT ref: 00F32D30
                                                                                                                                                                                                                                            • Part of subcall function 00F32D14: std::_Lockit::~_Lockit.LIBCPMT ref: 00F32D4C
                                                                                                                                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 00F984B9
                                                                                                                                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00F984D9
                                                                                                                                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 00F984E6
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 55977855-0
                                                                                                                                                                                                                                          • Opcode ID: dd385db10dac6eaee49312a7b0001c72bc111bdbd029c1ad1f035c9ca8278568
                                                                                                                                                                                                                                          • Instruction ID: 73802d540c7e4dd439ce85ddf6abc277c1a38e51b2a437880192000157112cd4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dd385db10dac6eaee49312a7b0001c72bc111bdbd029c1ad1f035c9ca8278568
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5101C031D0012A9BDF15EB68C842AAE7771BF50760F240409F815AB281DFB89E06EB90
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00FA459F Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • __EH_prolog3.LIBCMT ref: 00FA45A6
                                                                                                                                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00FA45B0
                                                                                                                                                                                                                                            • Part of subcall function 00F32D14: std::_Lockit::_Lockit.LIBCPMT ref: 00F32D30
                                                                                                                                                                                                                                            • Part of subcall function 00F32D14: std::_Lockit::~_Lockit.LIBCPMT ref: 00F32D4C
                                                                                                                                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 00FA4601
                                                                                                                                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00FA4621
                                                                                                                                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 00FA462E
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 55977855-0
                                                                                                                                                                                                                                          • Opcode ID: 6d262ce330470f3c3cb9e559dcaabb12f412e4e71151b9eee98a04c275b5d721
                                                                                                                                                                                                                                          • Instruction ID: 899c15f4dbb267e6cf1c22a068decca8eeffb46a84e45083f84f7538d391afb0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6d262ce330470f3c3cb9e559dcaabb12f412e4e71151b9eee98a04c275b5d721
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C7019275D002299BCF15EB64DC52ABEB775BF91720F240009E811AB391DFB8EE01EB91
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F98581 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • __EH_prolog3.LIBCMT ref: 00F98588
                                                                                                                                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00F98592
                                                                                                                                                                                                                                            • Part of subcall function 00F32D14: std::_Lockit::_Lockit.LIBCPMT ref: 00F32D30
                                                                                                                                                                                                                                            • Part of subcall function 00F32D14: std::_Lockit::~_Lockit.LIBCPMT ref: 00F32D4C
                                                                                                                                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 00F985E3
                                                                                                                                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00F98603
                                                                                                                                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 00F98610
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 55977855-0
                                                                                                                                                                                                                                          • Opcode ID: 3293cfed1d14cf42a1dc107f9a1fa8d33fed10e1aefe304d6dd92224c9e4d30a
                                                                                                                                                                                                                                          • Instruction ID: 3ac0d28471890049c76c9a4258110e49be551f06ea78c9e1fa11baf47e50ac5c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3293cfed1d14cf42a1dc107f9a1fa8d33fed10e1aefe304d6dd92224c9e4d30a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0D01C0719001199BEF14EF64CC42AAE7771BF50760F240409E815AB281CFB89E06AB91
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F986AB Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • __EH_prolog3.LIBCMT ref: 00F986B2
                                                                                                                                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00F986BC
                                                                                                                                                                                                                                            • Part of subcall function 00F32D14: std::_Lockit::_Lockit.LIBCPMT ref: 00F32D30
                                                                                                                                                                                                                                            • Part of subcall function 00F32D14: std::_Lockit::~_Lockit.LIBCPMT ref: 00F32D4C
                                                                                                                                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 00F9870D
                                                                                                                                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00F9872D
                                                                                                                                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 00F9873A
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 55977855-0
                                                                                                                                                                                                                                          • Opcode ID: ed042866f25611383ffffbe1295555f37d09b66e63335142ac84325a83565f91
                                                                                                                                                                                                                                          • Instruction ID: f20e05827816b735c58431989925adcb4b48de7a06b246d9058ad15c54a7615e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ed042866f25611383ffffbe1295555f37d09b66e63335142ac84325a83565f91
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F101C031D001199BDF05EBA4D842AAEB775BF60364F240009E811AB381DF789E02A791
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00FA4634 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • __EH_prolog3.LIBCMT ref: 00FA463B
                                                                                                                                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00FA4645
                                                                                                                                                                                                                                            • Part of subcall function 00F32D14: std::_Lockit::_Lockit.LIBCPMT ref: 00F32D30
                                                                                                                                                                                                                                            • Part of subcall function 00F32D14: std::_Lockit::~_Lockit.LIBCPMT ref: 00F32D4C
                                                                                                                                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 00FA4696
                                                                                                                                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00FA46B6
                                                                                                                                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 00FA46C3
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 55977855-0
                                                                                                                                                                                                                                          • Opcode ID: f3f5a97ec8478609a2a6c66ccd0009383d4f2ce34ad2b3a74388d76a61e79093
                                                                                                                                                                                                                                          • Instruction ID: 5d0ff1c2bdb46a91402fcaab65feeb1111923743959f2030a0feac92b1c109c1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f3f5a97ec8478609a2a6c66ccd0009383d4f2ce34ad2b3a74388d76a61e79093
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0F01D271D001199BCF05EB64DC42ABEB7B5BF91320F284009E810AB391CFB8AE01EB90
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00FA47F3 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • __EH_prolog3.LIBCMT ref: 00FA47FA
                                                                                                                                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00FA4804
                                                                                                                                                                                                                                            • Part of subcall function 00F32D14: std::_Lockit::_Lockit.LIBCPMT ref: 00F32D30
                                                                                                                                                                                                                                            • Part of subcall function 00F32D14: std::_Lockit::~_Lockit.LIBCPMT ref: 00F32D4C
                                                                                                                                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 00FA4855
                                                                                                                                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00FA4875
                                                                                                                                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 00FA4882
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 55977855-0
                                                                                                                                                                                                                                          • Opcode ID: 5df224acc04de30c8a8bb214a9b81a1ae4c5771bc434d6adea911a97a943d83f
                                                                                                                                                                                                                                          • Instruction ID: 5179422f86368235aee99e56981bb7ac095b9dd244b4b7a8dad43ab7a41bc344
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5df224acc04de30c8a8bb214a9b81a1ae4c5771bc434d6adea911a97a943d83f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3501C071D002599BCB14EB64DC52AAE7775BF90724F244009E811AB281CFB8AE01E791
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F987D5 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • __EH_prolog3.LIBCMT ref: 00F987DC
                                                                                                                                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00F987E6
                                                                                                                                                                                                                                            • Part of subcall function 00F32D14: std::_Lockit::_Lockit.LIBCPMT ref: 00F32D30
                                                                                                                                                                                                                                            • Part of subcall function 00F32D14: std::_Lockit::~_Lockit.LIBCPMT ref: 00F32D4C
                                                                                                                                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 00F98837
                                                                                                                                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00F98857
                                                                                                                                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 00F98864
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 55977855-0
                                                                                                                                                                                                                                          • Opcode ID: 05e6e6aa852a93653bbb615ce946e185dea2ece0d1b650c395a5c73e007ba1ed
                                                                                                                                                                                                                                          • Instruction ID: 5795191305ad0dc4ab35b1f470c81263bd45b633c5bf9bbd41abd97eca4cb0ea
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 05e6e6aa852a93653bbb615ce946e185dea2ece0d1b650c395a5c73e007ba1ed
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D901D271D002199BEF14EB64DC42ABE7775BF90764F644409E810AB381CF799E05EBA1
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00FA4888 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • __EH_prolog3.LIBCMT ref: 00FA488F
                                                                                                                                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00FA4899
                                                                                                                                                                                                                                            • Part of subcall function 00F32D14: std::_Lockit::_Lockit.LIBCPMT ref: 00F32D30
                                                                                                                                                                                                                                            • Part of subcall function 00F32D14: std::_Lockit::~_Lockit.LIBCPMT ref: 00F32D4C
                                                                                                                                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 00FA48EA
                                                                                                                                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00FA490A
                                                                                                                                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 00FA4917
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 55977855-0
                                                                                                                                                                                                                                          • Opcode ID: d04136c18a111717030ed4b74ad1b2403e1b64068dd8a1a15548bf976633958d
                                                                                                                                                                                                                                          • Instruction ID: dabdb8c4e73f3e9db066d7d75bb3fc48c73896132b5138ef512ccfab91d577fe
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d04136c18a111717030ed4b74ad1b2403e1b64068dd8a1a15548bf976633958d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2A01D271D0011A9BCF14EBA4DC42ABE77B1FF94320F244009E810AB381CFB8AE05EB91
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00FA88B0 Relevance: 7.5, APIs: 5, Instructions: 37COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(0102742C,?,?,00F44086,0102827C,00FE68E0,?), ref: 00FA88BA
                                                                                                                                                                                                                                          • LeaveCriticalSection.KERNEL32(0102742C,?,?,00F44086,0102827C,00FE68E0,?), ref: 00FA88ED
                                                                                                                                                                                                                                          • RtlWakeAllConditionVariable.NTDLL ref: 00FA8964
                                                                                                                                                                                                                                          • SetEvent.KERNEL32(?,00F44086,0102827C,00FE68E0,?), ref: 00FA896E
                                                                                                                                                                                                                                          • ResetEvent.KERNEL32(?,00F44086,0102827C,00FE68E0,?), ref: 00FA897A
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CriticalEventSection$ConditionEnterLeaveResetVariableWake
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3916383385-0
                                                                                                                                                                                                                                          • Opcode ID: 20fefa301cdcc20ba4dbb2791d9ea53d5ab099e8e67f1b4c788819cc1c447fdc
                                                                                                                                                                                                                                          • Instruction ID: 1707e0e88a6db9baeb8d6f779d5eba7bf14dfd4f7e02d21327d14e53930f6edf
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 20fefa301cdcc20ba4dbb2791d9ea53d5ab099e8e67f1b4c788819cc1c447fdc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 92018C71901564DFC720AF28FC889997FA8EB0D711700416AFD419B329CF7A1C11EF91
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F80720 Relevance: 7.5, APIs: 2, Strings: 3, Instructions: 19COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • c:\jenkins\workspace\mer_WebAdvisor_XMLUpdater_master\src\XmlUpdater\CabParser.h, xrefs: 00F80743
                                                                                                                                                                                                                                          • CloseHandle failed: %d, xrefs: 00F80737
                                                                                                                                                                                                                                          • NWebAdvisor::CCabParser::Close, xrefs: 00F8073E
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CloseErrorHandleLast
                                                                                                                                                                                                                                          • String ID: CloseHandle failed: %d$NWebAdvisor::CCabParser::Close$c:\jenkins\workspace\mer_WebAdvisor_XMLUpdater_master\src\XmlUpdater\CabParser.h
                                                                                                                                                                                                                                          • API String ID: 918212764-1823807987
                                                                                                                                                                                                                                          • Opcode ID: c9cfe671fec15c9ddfb4f92f49e3aa8e5426a5a4e6757c83a6527b9335818ed5
                                                                                                                                                                                                                                          • Instruction ID: f6773bbcbdb7b7c8dff3d7f15e5bc53f66a6722d6a312571ada28c1c2f20e817
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c9cfe671fec15c9ddfb4f92f49e3aa8e5426a5a4e6757c83a6527b9335818ed5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 86D02B303443182EE7202B28FC0AF7A36549F00B24F000A1CB740950F1D6E2E8417743
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F722F0 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 446COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • FreeLibrary.KERNEL32(?), ref: 00F72319
                                                                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000), ref: 00F72369
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: FreeLibrary
                                                                                                                                                                                                                                          • String ID: XML hound handler failed.$_=nil}
                                                                                                                                                                                                                                          • API String ID: 3664257935-979112626
                                                                                                                                                                                                                                          • Opcode ID: 412304b56144a84046abee02533abc41e78f8f8609b93ddc6f191b9dc24c0432
                                                                                                                                                                                                                                          • Instruction ID: 4fdb191ced9061bd65202620ea8ea18160ca663b1aa9156541dfd6933117b517
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 412304b56144a84046abee02533abc41e78f8f8609b93ddc6f191b9dc24c0432
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 91F1D571D00209AFDB24DF68CC45BAEB7F5FF04314F04856AE509A7292DB78EA84DB91
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00FD51F0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 207COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: \\?\
                                                                                                                                                                                                                                          • API String ID: 0-4282027825
                                                                                                                                                                                                                                          • Opcode ID: ca3321f2a7bee4370792b3971e4a2ba5638ec9439db5769309a0ac8831a4c994
                                                                                                                                                                                                                                          • Instruction ID: 39ed19a67fc2255e4f50fc19233ae19e1b1f20e7878ae330eb7c706a55ad105b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ca3321f2a7bee4370792b3971e4a2ba5638ec9439db5769309a0ac8831a4c994
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9B716E71D00619DBCF15DFA8CC84A9EB7BABF45720F18062AE415E7390D734E944DBA1
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00FD4620 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 159COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • WritePrivateProfileStructW.KERNEL32(?,00000000,4752434D,00000024,00000000), ref: 00FD46E4
                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00FD4728
                                                                                                                                                                                                                                          • WritePrivateProfileStructW.KERNEL32(?,00000000,?,00000004,00000000), ref: 00FD4768
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: PrivateProfileStructWrite$ErrorLast
                                                                                                                                                                                                                                          • String ID: MCRG
                                                                                                                                                                                                                                          • API String ID: 3778923442-1523812224
                                                                                                                                                                                                                                          • Opcode ID: f5e4e6083ff2aaf693bc6c1cb2c9b9590262adf37f56f6b3f6b8f0808968c6a5
                                                                                                                                                                                                                                          • Instruction ID: 4542b1e3eabe516523c54fa9684428e8f6ae92e6b287d8e720f5be68b9e7915f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f5e4e6083ff2aaf693bc6c1cb2c9b9590262adf37f56f6b3f6b8f0808968c6a5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5751A175900249AFDB10CFA8D844F9EFBF5EF05320F18825AF915AB3A1DB74A904DB90
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F40490 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 137COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00F93D98: FormatMessageA.KERNEL32(00001300,00000000,?,00000000,?,00000000,00000000,?,?,00F404D5,?,?,4638DA1B), ref: 00F93DAE
                                                                                                                                                                                                                                          • LocalFree.KERNEL32(00000000), ref: 00F405CC
                                                                                                                                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 00F405F6
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Concurrency::cancel_current_taskFormatFreeLocalMessage
                                                                                                                                                                                                                                          • String ID: generic$unknown error
                                                                                                                                                                                                                                          • API String ID: 3868770561-3628847473
                                                                                                                                                                                                                                          • Opcode ID: 1616a345725955979665bf8ee497fa3824ff7ec8ae9a68713eab186fcf2e76af
                                                                                                                                                                                                                                          • Instruction ID: 489d1d129d36ea0abfc3ddf1f96f35470d902a1f8b3a7807b9622cd791fc12d7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1616a345725955979665bf8ee497fa3824ff7ec8ae9a68713eab186fcf2e76af
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4141C5B19043059FDB20DF68C84576FBBF4EF45310F14062EF95697381DB799904ABA1
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00FBEA12 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: C:\Users\user\AppData\Local\Temp\is-3DDK1.tmp\prod1_extract\saBSI.exe
                                                                                                                                                                                                                                          • API String ID: 0-802501387
                                                                                                                                                                                                                                          • Opcode ID: ca099214fa0c6956283f5e7066add8c50e7f4dc6ebe2af3a1e5b4d0b79f7a058
                                                                                                                                                                                                                                          • Instruction ID: 86dc9e9fb4a53b755f04df2bb45b57e32a2954dd23f44809e8243f2e85788d23
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ca099214fa0c6956283f5e7066add8c50e7f4dc6ebe2af3a1e5b4d0b79f7a058
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1F3180B1E00218ABCB31DF9ADC85DDEBBFCEB94310B108066F50597200D6789A40EF60
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F34A4A Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 109COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: H_prolog3_
                                                                                                                                                                                                                                          • String ID: /affid$MSAD_Subinfo$affid
                                                                                                                                                                                                                                          • API String ID: 2427045233-3897642808
                                                                                                                                                                                                                                          • Opcode ID: 21449a6a4f99351c0f0922dfd45b6d4efdaa86debe86227a29b137aacc69fc98
                                                                                                                                                                                                                                          • Instruction ID: e6d365a148a6340e83fd0114dd03b783cd6aab0a93fd73e28a282d0d8d0b3c44
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 21449a6a4f99351c0f0922dfd45b6d4efdaa86debe86227a29b137aacc69fc98
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8B417E71E00308DEDB08DFA4D895AEDBBB4FF09324F14406DE445A7281D734AA4ADB54
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00FA2F50 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 104COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 00FA2F57
                                                                                                                                                                                                                                            • Part of subcall function 00F97DF0: __EH_prolog3.LIBCMT ref: 00F97DF7
                                                                                                                                                                                                                                            • Part of subcall function 00F97DF0: std::_Lockit::_Lockit.LIBCPMT ref: 00F97E01
                                                                                                                                                                                                                                            • Part of subcall function 00F97DF0: std::_Lockit::~_Lockit.LIBCPMT ref: 00F97E72
                                                                                                                                                                                                                                          • _Find_elem.LIBCPMT ref: 00FA2FF3
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Lockitstd::_$Find_elemH_prolog3H_prolog3_Lockit::_Lockit::~_
                                                                                                                                                                                                                                          • String ID: %.0Lf$0123456789-
                                                                                                                                                                                                                                          • API String ID: 2544715827-3094241602
                                                                                                                                                                                                                                          • Opcode ID: 4b124ecd58c564ab8094c166c6479f63cf51012e06c8af1ada1169a157013f04
                                                                                                                                                                                                                                          • Instruction ID: 428faba64abde625692608614a79ecf589327c7182581271118875f2c14a7635
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4b124ecd58c564ab8094c166c6479f63cf51012e06c8af1ada1169a157013f04
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CB416971A00218DFCF15EFA8C880AEDBBB5BF09314F10005AE911AB255DB349A56EBA1
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F4A7DC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,4638DA1B,?,?), ref: 00F4A531
                                                                                                                                                                                                                                          • __Mtx_unlock.LIBCPMT ref: 00F4A7EC
                                                                                                                                                                                                                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F4A989
                                                                                                                                                                                                                                            • Part of subcall function 00F4F110: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F4F268
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • Unexpected return value: , xrefs: 00F4A8CC
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Ios_base_dtorstd::ios_base::_$Mtx_unlockMultipleObjectsWait
                                                                                                                                                                                                                                          • String ID: Unexpected return value:
                                                                                                                                                                                                                                          • API String ID: 1703231451-3613193034
                                                                                                                                                                                                                                          • Opcode ID: a258b0eb221a7f3321a5faa727ff52c749cdaa7384d51023731066d483b8d2ae
                                                                                                                                                                                                                                          • Instruction ID: 57e6fe687b4886c84b0b5792c68d324d3c6f37874a3bd3854f9b5d42d87a1a26
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a258b0eb221a7f3321a5faa727ff52c749cdaa7384d51023731066d483b8d2ae
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7E210B71D411089BDF14DFA4DD49BECBB35EF85320F104258E811972D5DB389A85EB12
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F47052 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00F39BB0: InitOnceBeginInitialize.KERNEL32(010280C4,00000000,4638DA1B,00000000,4638DA1B,00F3A219,010280CC,?,?,?,?,?,?,00F3A219,?,?), ref: 00F39BE5
                                                                                                                                                                                                                                            • Part of subcall function 00F39BB0: InitOnceComplete.KERNEL32(010280C4,00000000,00000000), ref: 00F39C1D
                                                                                                                                                                                                                                            • Part of subcall function 00F39940: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F39A12
                                                                                                                                                                                                                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F47D3D
                                                                                                                                                                                                                                          • __Mtx_unlock.LIBCPMT ref: 00F47DC8
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: InitIos_base_dtorOncestd::ios_base::_$BeginCompleteInitializeMtx_unlock
                                                                                                                                                                                                                                          • String ID: P$Service has not been initialized
                                                                                                                                                                                                                                          • API String ID: 920826028-2917841385
                                                                                                                                                                                                                                          • Opcode ID: bbb8f4943d29c152261569ad7127f380a0eb1c8c1854215ce9d3f48280ed2e07
                                                                                                                                                                                                                                          • Instruction ID: 56d043b7688659f32ea00eb49badaef4cdb31326aebe0be38f09cf879df32c10
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bbb8f4943d29c152261569ad7127f380a0eb1c8c1854215ce9d3f48280ed2e07
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 45018471914248CEEF04EF90D952BEDB774BF55310F504069E90217281EB79A60CEA51
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F3308E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • __EH_prolog3.LIBCMT ref: 00F33095
                                                                                                                                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00F330A2
                                                                                                                                                                                                                                          • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00F330DF
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: std::_$H_prolog3Locinfo::_Locinfo_ctorLockitLockit::_
                                                                                                                                                                                                                                          • String ID: bad locale name
                                                                                                                                                                                                                                          • API String ID: 4089677319-1405518554
                                                                                                                                                                                                                                          • Opcode ID: e8e3acac593ee3c07bc5578a50fed55368fc025866bfb9b3ac311635d896d11a
                                                                                                                                                                                                                                          • Instruction ID: 29c592b7652f480314704e6ca2a0b3642f3e1a46485a81b87f3c68db47f90bbe
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e8e3acac593ee3c07bc5578a50fed55368fc025866bfb9b3ac311635d896d11a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 84014FB0805B80DED721DF6A848154AFAE0BF29340B54892EE08A87A41CB74A604DB69
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00FC24F8 Relevance: 6.3, APIs: 4, Instructions: 320COMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _strrchr
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3213747228-0
                                                                                                                                                                                                                                          • Opcode ID: 2052368595d85d8921707e714fa8cf7e39a0871388d90fe44b2f9a70ca8f8144
                                                                                                                                                                                                                                          • Instruction ID: 3628bac3a02b40cde067b99b92ad8137f7be1e8e4d8d3ae4ed5c1cc741290796
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2052368595d85d8921707e714fa8cf7e39a0871388d90fe44b2f9a70ca8f8144
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 70B13432D042879FDB15CF28C992FAEBBE5EF55350F28456ED8459B341D6388E01EB60
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F98F69 Relevance: 6.3, APIs: 4, Instructions: 282COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _strcspn$H_prolog3_ctype
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 838279627-0
                                                                                                                                                                                                                                          • Opcode ID: f87407e5607b552d9d0ce18b53d5d2c24ff795a0f9f393297aaf4c819b668c95
                                                                                                                                                                                                                                          • Instruction ID: b4de60662df917241acbe30dc111b504c3a264362c5d4d12169c775417b380df
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f87407e5607b552d9d0ce18b53d5d2c24ff795a0f9f393297aaf4c819b668c95
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 75B15A71D0024A9FEF14DF98CC85AEEBBB5FF09310F144019E915AB251D7749E86EBA0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00FD2AF0 Relevance: 6.2, APIs: 4, Instructions: 173COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00F3463F: GetProcessHeap.KERNEL32(?,?,?,00F3E97C,4638DA1B,?,?,?,?,00FD9590,000000FF), ref: 00F34676
                                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,?,00FDFB28,000000FF), ref: 00FD2BF4
                                                                                                                                                                                                                                            • Part of subcall function 00F575F0: FindResourceExW.KERNEL32(00000000,00000006,00000000,?,00000000,?,?,?,?,?,00FD2B5D,?,00000000), ref: 00F57628
                                                                                                                                                                                                                                            • Part of subcall function 00F575F0: LoadResource.KERNEL32(00000000,00000000,?,?,?,?,?,00FD2B5D,?,00000000,?,?,?,?,?,00FDFB28), ref: 00F57636
                                                                                                                                                                                                                                            • Part of subcall function 00F575F0: LockResource.KERNEL32(00000000,?,?,?,?,?,00FD2B5D,?,00000000,?,?,?,?,?,00FDFB28,000000FF), ref: 00F57641
                                                                                                                                                                                                                                            • Part of subcall function 00F575F0: SizeofResource.KERNEL32(00000000,00000000,?,?,?,?,?,00FD2B5D,?,00000000,?,?,?,?,?,00FDFB28), ref: 00F5764F
                                                                                                                                                                                                                                          • FindResourceW.KERNEL32(00000000,?,00000006), ref: 00FD2B74
                                                                                                                                                                                                                                            • Part of subcall function 00F57580: LoadResource.KERNEL32(?,?,?,80070057,8007000E,80004005,00000000,?,?,?,?,?,?,?,00F5480F,4638DA1B), ref: 00F57589
                                                                                                                                                                                                                                            • Part of subcall function 00F57580: LockResource.KERNEL32(00000000,?,80070057,8007000E,80004005,00000000,?,?,?,?,?,?,?,00F5480F,4638DA1B), ref: 00F57594
                                                                                                                                                                                                                                            • Part of subcall function 00F57580: SizeofResource.KERNEL32(?,?,?,80070057,8007000E,80004005,00000000,?,?,?,?,?,?,?,00F5480F,4638DA1B), ref: 00F575A8
                                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000003,00000000,00000002,?,00000000,00000000,00000000,00000000,?,?,00000006), ref: 00FD2BAB
                                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?,00000000,00000000,00000000,?,?,?,?,?,00FDFB28,000000FF), ref: 00FD2C2E
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Resource$ByteCharMultiWide$FindLoadLockSizeof$HeapProcess
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2838002939-0
                                                                                                                                                                                                                                          • Opcode ID: 97ad0a491c76b330d08f9d5819f3e368b3687aa6653e87f6d01118fbc81732b0
                                                                                                                                                                                                                                          • Instruction ID: cfdb3bdeba3692b53289f007ddb24a4597a4de7e51d186af8f04d13b5eb69d69
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 97ad0a491c76b330d08f9d5819f3e368b3687aa6653e87f6d01118fbc81732b0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1D519031200641AFE7248F18CC89F2EB7EAEF64720F28455EB5419B3D1DBB5AC40DB91
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00FAC0E1 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AdjustPointer
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1740715915-0
                                                                                                                                                                                                                                          • Opcode ID: 4534df29be41a2b63f5521c9bd5661938f8ba9d1a41585fe6548393aedc44246
                                                                                                                                                                                                                                          • Instruction ID: ad48e000e74d221e964d8a582118f123fe4bb8be68c8c222303dea4fed78056d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4534df29be41a2b63f5521c9bd5661938f8ba9d1a41585fe6548393aedc44246
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E151E2F2A40206AFDB299F98C841B7A77A4FF06724F14412EE81597292E735EC40EBD0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F5EBA0 Relevance: 6.1, APIs: 4, Instructions: 90registryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • RegSetKeySecurity.ADVAPI32(00000000,00000000,00000000,00000000), ref: 00F5EBCB
                                                                                                                                                                                                                                          • RegEnumKeyExW.ADVAPI32(00000000,00000000,?,00000100,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00F5EC28
                                                                                                                                                                                                                                          • RegOpenKeyExW.ADVAPI32(00000000,?,00000000,000F003F,?,?,00000000,00000000), ref: 00F5EC4F
                                                                                                                                                                                                                                            • Part of subcall function 00F5EBA0: RegCloseKey.ADVAPI32(?,?,00000000,00000000), ref: 00F5EC7E
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CloseEnumOpenSecurity
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 611561417-0
                                                                                                                                                                                                                                          • Opcode ID: 0c45a39cba75b2e11ac6373f49813497d444bed9d01fe3a6e7070303c6808539
                                                                                                                                                                                                                                          • Instruction ID: a7a2e52de9cfd2a94f23503aae80dd21e4aff8995fb8f0303cc9910994498b88
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0c45a39cba75b2e11ac6373f49813497d444bed9d01fe3a6e7070303c6808539
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B931B472A0021CABDB209F54DD49FEAB7B8EB48711F0005A5FE15E6192DA749F44EB90
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00FBE0E7 Relevance: 6.1, APIs: 4, Instructions: 83COMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4c8106d8048a51b2b07f013a0cc4d01ffdef79bd09b6a3f6a05145efbe7c366a
                                                                                                                                                                                                                                          • Instruction ID: 09e96aacab8174d9c5ba082815611925cb66c0502fe7db21f971573ec71b11b9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4c8106d8048a51b2b07f013a0cc4d01ffdef79bd09b6a3f6a05145efbe7c366a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AF21A1B2A04209AFEB10AF6ADC81DFB77ADEF05374720451AF425D7191D734EC50ABA0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00FA8982 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • SleepConditionVariableCS.KERNELBASE(?,00FA891F,00000064), ref: 00FA89A5
                                                                                                                                                                                                                                          • LeaveCriticalSection.KERNEL32(0102742C,00F41171,?,00FA891F,00000064,?,?,?,00F4402B,0102827C,4638DA1B,?,00F41171,?), ref: 00FA89AF
                                                                                                                                                                                                                                          • WaitForSingleObjectEx.KERNEL32(00F41171,00000000,?,00FA891F,00000064,?,?,?,00F4402B,0102827C,4638DA1B,?,00F41171,?), ref: 00FA89C0
                                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(0102742C,?,00FA891F,00000064,?,?,?,00F4402B,0102827C,4638DA1B,?,00F41171,?), ref: 00FA89C7
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3269011525-0
                                                                                                                                                                                                                                          • Opcode ID: 2143e4cfbf077a3d02e308b2126e76f5127ca46f5cd6ac944089e67a514269a0
                                                                                                                                                                                                                                          • Instruction ID: 029e67a14e64b5c4b55024081c9bb103b116c798e06cdbccdd0572c515205803
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2143e4cfbf077a3d02e308b2126e76f5127ca46f5cd6ac944089e67a514269a0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4DE09232901178EFC7212F50FC08A9E7E29EB1DB60B000014F9495A122CFA10921ABD2
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00FD4440 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 166COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00FD2AF0: FindResourceW.KERNEL32(00000000,?,00000006), ref: 00FD2B74
                                                                                                                                                                                                                                            • Part of subcall function 00FD2AF0: WideCharToMultiByte.KERNEL32(00000003,00000000,00000002,?,00000000,00000000,00000000,00000000,?,?,00000006), ref: 00FD2BAB
                                                                                                                                                                                                                                            • Part of subcall function 00FD2AF0: WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?,00000000,00000000,00000000,?,?,?,?,?,00FDFB28,000000FF), ref: 00FD2C2E
                                                                                                                                                                                                                                          • WritePrivateProfileStructW.KERNEL32(?,00000000,4752434D,00000024,00000002), ref: 00FD453C
                                                                                                                                                                                                                                          • WritePrivateProfileStructW.KERNEL32(?,?,00000000,?,00000002), ref: 00FD4598
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ByteCharMultiPrivateProfileStructWideWrite$FindResource
                                                                                                                                                                                                                                          • String ID: MCRG
                                                                                                                                                                                                                                          • API String ID: 2178413835-1523812224
                                                                                                                                                                                                                                          • Opcode ID: e9e9d4b514bc681b2bb1319d249ee14626386e07c64722310ae3d6776b44cbea
                                                                                                                                                                                                                                          • Instruction ID: 24f36a41eb1e866f94371b3fd1ed7ed2c02693ed6ae4f0fa5c98a232c7f2ae6e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e9e9d4b514bc681b2bb1319d249ee14626386e07c64722310ae3d6776b44cbea
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 16616B71900148AFDB11CFA8D844B9EFBB6FF49320F188259F815AB3A1DB75A905DB90
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00FAC6E2 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00FAC707
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: EncodePointer
                                                                                                                                                                                                                                          • String ID: MOC$RCC
                                                                                                                                                                                                                                          • API String ID: 2118026453-2084237596
                                                                                                                                                                                                                                          • Opcode ID: c6f0e39a80b06d4459797253de9dd7aed5dd81b3e6b7fc6f2a91da675b083a18
                                                                                                                                                                                                                                          • Instruction ID: 8f37e8e0345bda9d1137b7a00e81bfe2531a9a50785b59c8e644d2f6e1d50d31
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c6f0e39a80b06d4459797253de9dd7aed5dd81b3e6b7fc6f2a91da675b083a18
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 534148B1D00209AFCF16DF98CD81AEEBBB5BF4A310F198159F91467252D3399950EF90
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00F5E5E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • CLSIDFromString.OLE32(0000007B,?), ref: 00F5E650
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2997121855.0000000000F21000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997017778.0000000000F20000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2997931965.0000000000FEE000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998075425.000000000101F000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998180070.0000000001024000.00000008.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998285205.0000000001026000.00000004.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2998836092.0000000001029000.00000002.00000001.01000000.0000001C.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_f20000_saBSI.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: FromString
                                                                                                                                                                                                                                          • String ID: @${
                                                                                                                                                                                                                                          • API String ID: 1694596556-3118734784
                                                                                                                                                                                                                                          • Opcode ID: 131a76d56a5e342042020f6e44a8412c7a6e95eb4f098622d24b2e4180dbb1c2
                                                                                                                                                                                                                                          • Instruction ID: de864bd3cecbf915b8504582b52011735fae5b08d22de1a98f7197920566c62d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 131a76d56a5e342042020f6e44a8412c7a6e95eb4f098622d24b2e4180dbb1c2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CC01A931A002089BDB14DF68DD00BAEB3B8FF59710F40819EB945E7110DE74AA89DB90
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%